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Foreword by Quentin Ladetto 


Being invited to provide a foresight perspective on data protection and encryption 
technologies is quite challenging. The data we need to protect today is significant, 
not neglecting the numerous risks and forms of attacks we need to anticipate. Are we 
looking to protect access to the data, its transfer, its computation, or its commercial 
exploitation? How long should the data be protected or resist attacks? Any answer to 
those questions will undoubtedly lead to different design choices and technological 
challenges. 

Historically, protection to prohibit access to data and information has always 
existed, as well as different forms of encryption. However, the digitalization of our 
society has increased its importance. Phrases like “software is eating the world" and 
"data is the new gold" reflect the crucial importance of data in our modern society. 
Via all the connected devices and the various digital applications, the ultimate goal 
via the production of data is the complete and permanent anticipation of all desires 
and needs of the individuals. Unfortunately, the main driving force behind those 
developments is not the individual's well-being per se but the leveraging of the 
collected data for commercial purposes. Therefore, data protection related to privacy 
became essential to fulfill that goal and comply with new regulations, leading to 
specific research and innovation. 

The digitalization trend illustrates the importance of society in developing and 
accepting data protection and encryption technologies. The past years’ economic, 
political, and research environment has allowed the emergence of our technological 
level in this area. However, values and lifestyles are being challenged today and, as 
such, shall be our priorities for the upcoming years. 

The development run of areas such as quantum computing, artificial intelligence, 
and biometrics, to take only a few trends addressed in this book, is driving the 
developments of the future of data protection and encryption technologies. This 
book provides a valuable overview of the upcoming challenges and trends with 
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practical recommendations. It is a must-read for any decision-maker who must 
protect their data against current and emerging cyber threats. 


Thun, Switzerland Quentin Ladetto 
November 2022 Head of Technology Foresight, 
armasuisse Science and Technology 


Foreword by Florian Schütz 


Data fuels our modern economy and is at the heart of our digital lifestyle. Its 
protection is, therefore, not only important but crucial for modern societies to 
function. When discussing the protection of data, quite often, the public discussion 
focuses on confidentiality. However, with increasing dependence on technology 
for everyday services, the understanding that availability and integrity are just as 
important spreads fast beyond expert circles. Data protection is a topic that has 
been discussed previously. For example, the Spartans already used cryptography, 
the best-known means to protect data. However, modern, interconnected large- 
scale systems have very different requirements, not only on the robustness of 
protection mechanisms but also on their scalability and maintainability. To protect 
ourselves, an organization, or even a nation, it is, therefore, crucial to maintain 
an overview of available technologies and innovations that have the potential to 
fill gaps or improve current solutions. The National strategy for the protection of 
Switzerland against cyber risks 2018-2022! has, therefore, as its first measure the 
"early identification of trends and technologies and knowledge building." This book 
is a significant contribution toward our national strategy—and beyond. Today's 
and future information and industrial control systems often face data protection 
challenges that still need to be met satisfactorily. For example, a significant enabler 
in e-commerce is machine learning, which can enable better customer experiences 
through targeted recommendations. At the same time, the combination of data to 
extrapolate knowledge about customer preferences and requirements might allow 
profiling beyond reason. Further, accumulating data in a data lake benefits machine 
learning but, without proper protection, gives access to data beyond what a single 
entity would need. Challenges like these can be met using technologies such 
as, for example, searchable symmetric encryption revealing a subset of data that 
the person or algorithm searching is allowed to see without revealing the entire 
dataset. In this book, the authors introduce encryption fundamentals, discuss critical 
technologies for data protection, and present specific use cases. This makes the book 


! National strategy for the protection of Switzerland against cyber risks (NCS) 2018-2022. 
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a valuable guide for decision-making within the Swiss Federal administration and 
administrations of other nations. Nevertheless, limiting the view on governments 
only would not do the book justice. This book will also serve the industry well. 
While its primary audience will be Chief Information Security Officers (CISO) and 
Chief Technology Officers (CTO), it will also be interesting for the tech-savvy board 
members or engineers looking to get an entry point into data protection topics. Last 
but not least, the book will be interesting for anyone interested in data protection 
and encryption. I am happy that this significant contribution by the Cyber-Defence 
Campus toward our strategic goals has been made available for everyone — as true 
resilience against cyber threats requires all of us to properly understand protective 
technology and its applicability to today's challenges. 


Bern, Switzerland Florian Schütz 
February 2023 Federal Cyber Security Delegate 


Preface 


Militaries and governments have long used encryption technologies to facilitate 
secret communication. However, today, encryption technologies are equally crucial 
in protecting our economy and civil society. Moreover, encryption technologies are 
critical enablers of the ongoing transformation in the digital economy and online 
society. For example, encryption technologies are widely used to secure financial 
transactions over blockchains, authenticate users, or secure cloud and personal 
computing environments. 

The present study was conducted in Switzerland in 2022 to provide an overview 
of the changing landscape of encryption and data protection technologies and their 
global usage trends. The Swiss Confederation tasked the Cyber-Defence Campus to 
identify the 38 most relevant encryption and data protection technologies, analyze 
their expected evolution until 2025, and derive implications for the military, civil 
society, and economy sectors. 

Fifty experts from academia, the government, and the industry have contributed 
to this study and provided their viewpoints on the different technologies and trends. 
This comprehensive collection of factsheets provides a reference for organizations 
and individuals that need to elaborate coherent and efficient data protection and 
encryption strategies in the coming years. The 38 technologies have been sorted 
into 5 categories. First, encryption foundations represent the technologies used 
to create other encryption applications. Second, low-level applications represent 
the technologies that focus on micro functionalities. Third, high-level applications 
represent the technologies that focus on more abstract and macro functionalities. 
Fourth, data protection represents the technologies used to protect data without 
encrypting these data. Finally, use cases represent concrete ways the different 
technologies can be used together to create a working solution. 

Each factsheet contains an introduction of the technology, a trend analysis, 
the consequences for Switzerland, and a conclusion. At the end of the book, 
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we compare the trends of the different technologies using a scientometric and 
Wikipedia pageview analysis as well as data from open source code collected from 
GitHub. 

We wish you a pleasant and insightful read. 


Thun, Switzerland Valentin Mulder 
November 2022 Alain Mermoud 
Vincent Lenders 

Bernhard Tellenbach 
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Part I 
Encryption Foundations 


Chapter 1 A 
One-Time Pad EEr 


Thomas Lugrin 


1.1 Introduction 


The one-time pad is a simple cipher. It ensures a perfect form of confidentiality 
known as perfect secrecy by combining a plaintext and a key of the same length with 
the exclusive-or (XOR) operator to produce a ciphertext. However, it lacks basic 
security properties shared by standard ciphers, namely authentication, and integrity. 
The central issue of the critical exchange between communication partners must be 
solved by other means. Some modern stream ciphers derive from the one-time pad 
in that they simulate its mechanism. 


1.2 Analysis 


The invention of the one-time pad can be attributed to Gilbert S. Vernam, who 
developed an automated system for teletypewriters using punched paper tapes in 
1917 [1]. Together with Joseph O. Mauborgne, he realized that if the keystream, i.e. 
the distribution of the punches on the tape, was uniformly random and independent 
such as an infinite non-periodic tape, the cipher would be unbreakable. An earlier 
mention of the one-time pad can be found in an 1882 publication by Frank 
Miller [2] and could have been a source of inspiration for Vernam [3]. A famous 
implementation of the one-time pad is the hotline between the United States and the 
USSR that was established in 1963 [4]. 


T. Lugrin (P4) 
Federal Administration, Bern, Switzerland 
e-mail: thomas.lugrin @vtg.admin.ch 
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1.2.1 Definition 


The one-time pad takes a plaintext message and a random key of the same length as 
inputs. The message and key are represented in bits in a modern setup. Encryption 
consists of adding the message to the key using the XOR operator. The result is 
the ciphertext. The one-time pad decryption process is similar, as the ciphertext is 
XOR-ed with the same key to recover the plaintext. The simplicity of the encryption 
and decryption process makes it a very fast cipher, but the length of the key makes 
it difficult to use in practice. 

In 1949, Claude E. Shannon formally showed that the one-time pad has perfect 
secrecy in an information-theoretic sense [5]. Any ciphertext of a given length can be 
the encryption of any plaintext of the same length with equal probability. Moreover, 
adversaries with arbitrarily considerable computing power cannot break it, which 
means it is also quantum-computer resistant. 

The one-time pad is, however, not perfect in a broader sense, as it does 
not provide authentication of the sender, nor does it ensure the integrity of the 
ciphertext; a malicious intermediary can modify the ciphertext without any of the 
communicating parties noticing it. Even worse, if parts of the plaintext are known, 
as is typical in e-mail headers, the corresponding ciphertext parts can be altered 
to yield precisely any malicious plaintext of the same length. Re-using the key 
completely breaks the one-time pad security: XOR-ing two ciphertexts gives the 
XOR-ed plaintexts. If there is enough redundancy in text encoding, e.g., ASCII, one 
can recover the two plaintexts. More generally, this means that the keystream used 
by the one-time pad must be free of any dependence patterns, i.e., it must be truly 
random, see Chap. 7. 


1.2.2 Trends 


The concept of the one-time pad offers an excellent pedagogical introduction to 
modern ciphers. However, in practice, its usage is rare and limited to circumstances 
where perfect secrecy is of utmost importance and integrity and authenticity can be 
guaranteed by other means. 

Most current stream ciphers are simulations of the one-time pad: a random seed, 
e.g., a 256-bit sequence, is first defined, from which a deterministic pseudo-random 
keystream is then generated. 


1.3 Consequences for Switzerland 


The one-time pad should generally not be used, and standardized symmetric 
encryption algorithms should be preferred and used with the appropriate parameters 
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and the correct implementation, see Chap. 2. Its usage is costly, and its setup is 
complicated. Nevertheless, its use could be envisaged in particular government 
applications where perfect secrecy is a must. The key exchange shall be performed 
reliably, the keys securely stored until their use and systematically destroyed after 
encryption. Further measures are required to guarantee the communicating parties’ 
authenticity and the encrypted messages’ integrity. 

The development of Quantum Key Distribution (QKD, see Chap. 9) renewed 
interest in the one-time pad [6], as keys could be shared on an interception-aware 
channel. In practice, however, attacks exist that take advantage of the redundancy 
of the signal [7], meaning that the one-time pad using QKD would not guarantee 
perfect secrecy. 


1.3.1 Implementation Possibilities 


A critical aspect in the application of the one-time pad is the quality of the source of 
randomness used to feed the keystream. It should be investigated and verified before 
use. The correctness of its implementation should be verifiable. In particular, the 
same key should never be re-used. The reliability of the key exchange mechanism 
should undergo a thorough investigation, and authenticity and integrity should be 
guaranteed to hold using different mechanisms. 

The length of the key is a hindrance to using the one-time pad; if a secure channel 
exists to communicate a key of the same length as the message to be sent, this same 
channel could also serve to send that same message. Nevertheless, in the standard 
one-time pad setup, the secret key exchange would typically happen before the 
exchange of the message, thus providing a shift of secrecy through time. The one- 
time pad offers, however, neither authentication nor integrity. 

The properties of the one-time pad make it hardly usable in practice, except in 
particular circumstances, typically in the government, and must be complemented 
by authentication procedures and integrity protocols. 


1.4 Conclusion 


The one-time pad is interesting from a theoretical point of view, but it could be 
more complex and questionable to use in practice. It is very appealing because of 
its perfect secrecy property. However, it lacks basic security properties shared by 
standard ciphers, namely authentication, and integrity. It needs to solve the central 
issue of the critical exchange between communication partners. Some secure stream 
ciphers simulations of the one-time pad should be preferred. 
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Chapter 2 A 
Symmetric Cryptography ARA 


François Weissbaum and Thomas Lugrin 


2.1 Introduction 


To guarantee the confidentiality of a message or information, different encryption 
methods are used. In almost all applications, data is encrypted symmetrically. In 
most cases, it is advised to encrypt data using symmetric methods. The key length 
for symmetric encryption must be at least 256 bits to guarantee a sufficient level of 
protection against the possible arrival of quantum computers. The use of standard 
methods such as AES with 256 bits should be promoted. 


2.2 Analysis 


Different encryption methods can be used to guarantee the confidentiality of a 
message or information. Symmetric encryption is the most common method, for 
example, for file encryption, messaging and data transfer, as it is fast and secure, 
provided the length of the encryption key is large enough. The encryption key is 
exchanged through a secure channel or asymmetric encryption methods. 


2.2.1 Definition 


Encryption is a cryptographic process that makes it impossible to gain knowledge 
of plaintext for anyone who does not have the decryption key. Encryption is called 


F. Weissbaum : T. Lugrin (È<) 
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symmetric when it uses the same key for encryption and decryption. See Chap. 3 for 
details on asymmetric cryptography. 

Symmetric ciphers are generally grouped into two sub-categories: stream and 
block ciphers. Stream ciphers generate a continuous keystream and combine it bit 
by bit with the plaintext to produce the ciphertext, typically using the exclusive- 
or (XOR) operator; block ciphers divide the plaintext into fixed-size sequences 
of bits called blocks, potentially applying some padding. They then run the same 
encryption procedure on each block. Various procedures have been standardized, 
also known as modes of operation [1, 2]. In order to ensure a good level of security, 
each block should have a length of at least 128 bits. The distinction between the 
two cipher types is loose since block ciphers applied to 1-bit blocks are essentially 
stream ciphers. Block ciphers operating in counter mode (CTR) provide a good 
example, where a block-counter appended to a fixed random nonce is encrypted, 
de facto providing a keystream, which is then XOR-ed with the blocks of plaintext. 
The output feedback mode (OFB) is another example with a similar structure. 

It is essential to verify that an encrypted message has not been modified during 
its transport. This is why the authenticity—or at least the integrity—of the encrypted 
message should be verified before decrypting it. This requirement can be satisfied by 
using, e.g., Authenticated Encryption or Authenticated Encryption with Associated 
Data (AEAD) [3, 4], which ensure data confidentiality as well as authenticity. 


2.2.2 Trends 


It is advised to encrypt data using symmetric methods in the future. However, the 
required key length for symmetric encryption must be at least 256 bits to guarantee 
a sufficient level of protection against brute force attacks and the possible arrival 
of quantum computers. Therefore, standard methods such as AES [5] with 256 bits 
should be promoted. 

When symmetric encryption is used, it is recommended to complement it with 
methods that guarantee the encrypted message’s authenticity—or at least integrity. 


2.3 Consequences for Switzerland 


Switzerland should continue to use symmetric encryption methods with an appro- 
priate level of security, as detailed in Sect. 2.2.2. 
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2.3.1 Implementation Possibilities 


In general, one should not develop symmetric encryption algorithms on one's own, 
as the standard methods are secure and efficient. Instead, well-established cryp- 
tographic libraries that implement those standard algorithms should be preferred 
over homemade implementations. Moreover, when buying a product, one should 
check that its parameter setup corresponds to symmetric security of at least 256 bits, 
e.g., standard symmetric encryption algorithms such as AES [5] with 256 bits. The 
AES Algorithm is also known as Rijndael’s Algorithm. The four other algorithms 
(Serpent, Twofish, RC6, and MARS) that were selected for the final round of the 
competition conducted by NIST in 2001 [6] can also be used in addition to the 
standard AES. 


2.4 Conclusion 


Over the last decades, the use of methods guaranteeing the confidentiality of a 
message has exploded, and symmetrical methods have been proven secure in this 
domain. If the proper implementations and parameters are used, these algorithms 
will remain secure even with the arrival of the quantum computer—see, for example, 
Section 2.5 of [7]. Therefore, the choice of secure algorithms and the size of the 
parameters proposed in this document is expected to stay the same over the next 
decade. 
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Chapter 3 A) 
Asymmetric Encryption ers 


Christian Stohrer and Thomas Lugrin 


3.1 Introduction 


While symmetric encryption uses the same key to encrypt and decrypt data, public 
key cryptography uses a pair of keys. One of these keys is used for encryption and 
the other one for decryption. For the security of the public key cryptosystem, only 
the decryption key must be kept secret. For this reason, it is often referred to as 
the private key. On the other hand, the encryption key, or public key, can be made 
publicly available without harming the security of the cryptosystem. 


3.2 Analysis 


For a public key cryptosystem to be secure, it must be computationally infeasible 
to compute the private key from the public key [1]. As the processes for encryption 
and decryption differ from each other and rely on different keys, another name for 
public key encryption is asymmetric encryption. 

Generally, one does not use public key cryptography to encrypt large amounts of 
data directly, as this is generally computationally more expensive than symmetric 
encryption. However, it is common to use public key cryptography to encrypt 
and securely exchange keys of symmetric encryption schemes (see Chap. 2). The 
symmetric keys are then used for bulk data encryption [1, 2]. This combination of 
public key cryptography and symmetric encryption is called hybrid encryption. 
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To ensure that only the intended recipient can decrypt a cipher text, the public 
key must be authenticated through other means, e.g., a Public Key Infrastructure 
(PKI) [3]. For more information on key management, see Chap. 4. 

Asymmetric encryption is not the only application for public key cryptography. 
Digital signatures, see Chap. 15, used to verify the authenticity of a document, are 
another important example. Another application is homomorphic encryption, see 
Chap. 8. 


3.2.1 Definition 


An asymmetric encryption scheme uses two different keys, a private one and a 
public one. While the public key is used for encryption and may be known by others, 
the private key is used for decryption and must be kept secret. Like most public 
cryptosystems, asymmetric encryption relies on one-way mathematical functions. 
This means that while it is easy to compute the result from given input data, it is hard 
to recover the input data from the result. Moreover, the corresponding mathematical 
problems are conjectured to be hard, such that it is computationally infeasible to 
decrypt a message without knowing the private key. 


3.2.2 Trends 


The widespread public critical systems are based on the integer factorization 
problem or the discrete logarithm problem over finite fields and elliptic curves. In 
a seminal paper, Peter W. Shor showed that it is possible to solve these problems 
efficiently using a sufficiently powerful quantum computer [4]. This triggered 
the search for replacement schemes. Several standardization agencies are now 
evaluating new proposals for this. In 2022, NIST announced the winners of their 
corresponding competition. For further details, we refer to Chap. 10 dedicated to 
post-quantum cryptography. 


3.3 Consequences for Switzerland 


The advent of the quantum computer threatens public key cryptosystems considered 
secure today. A strategy should therefore be developed that considers the impli- 
cations of this threat on the security of current systems and proposes appropriate 
measures to ensure the preservation of security. 
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3.3.1 Implementation Possibilities: Make or Buy 


Generally, one should not develop proprietary public cryptosystems, as the stan- 
dardized algorithms have been thoroughly tested and deeply analyzed. Furthermore, 
any proprietary design will likely fail and expose weaknesses that may corrupt the 
entire system's security. Therefore, when procuring products involving public key 
cryptography, only those that have been standardized and verified for correctness by 
an appropriate specialized authority should be considered. 


3.3.2 Variation and Recommendation 


We recommend to continue using well-established public cryptosystems, e.g., 
RSA (Rivest-Shamir-Adleman cryptosystem [5]) with OAEP (Optimal Asymmetric 
Encryption Padding), Elgamal over a finite field, and Elgamal over appropriate ellip- 
tic curves. The minimal key length and the required size of the involved parameters 
should be chosen according to the current regulation or best practice advice. With 
today's knowledge, these algorithms are considered secure, although they are known 
to be vulnerable to future powerful quantum computers. Cryptosystems based on 
elliptic curves (ECC) can use shorter keys and are thus more efficient to achieve 
the same security level against attacks with classical, i.e., non-quantum computers. 
They should therefore be preferred over RSA and classical Elgamal. However, the 
above reasoning does not hold when considering attacks against a future large- 
scale quantum computer. In this scenario, one should not try to enhance security by 
using larger keys; one should instead use alternative quantum-safe cryptosystems, 
see Chap. 10. 

In addition, one should follow the various standardization initiatives for new 
quantum-safe alternative public vital algorithms and integrate them accordingly to 
mitigate the threat posed by quantum computers. For this, a deep understanding of 
algorithms and a close inspection of possible solutions are necessary. 


3.4 Conclusion 


Asymmetric cryptography is a core part of many cryptographic applications. For 
example, it allows for encrypting messages, exchanging secret keys over an insecure 
channel, and establishing authenticity using digital signatures. 

Current public cryptosystems are considered secure against classical computers 
(operating with bits), but the large majority of those commonly used today will be 
broken by attacks from not yet existing powerful quantum computers. Therefore, a 
corresponding strategy should be developed and implemented to counter this risk. 
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Chapter 4 A) 
Key Management EEM 


Cyrill Krähenbühl and Adrian Perrig 


4.1 Introduction 


Key management describes how cryptographic keys are created, securely stored, 
distributed to the respective key holders, and used in accordance with protocol 
specifications. It is thus a cornerstone of most cryptographic systems and must 
be handled with care. Advances in hardware security modules (HSM) used in key 
storage and high-end as well as low-cost random number generator used in key 
generation show a promising future for secure and affordable key management. 
However, future challenges, such as quantum resilience have to be overcome by 
new key management systems. For the military, existing experience in handling 
cryptographic keys could help in the development of a key management system, 
and the reputation of Switzerland could help promote key management systems 
developed in Switzerland. 


4.2 Analysis 


Key management comprises all steps in creating, storing, distributing, recovering, 
and using cryptographic keys. Key management is a vital part of any cryptographic 
system since the security guarantees often depend on correctly performed key 
management. 
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4.2.1 Definition 


Key management can be split into four stages: creation, storage, distribution, and 
usage of keys. 


4.2.1.1 Key Creation 


Key creation typically consists of deriving a cryptographic key from a source of 
randomness. In the case of the public-key cryptosystem RSA, key generation creates 
large prime numbers by randomly choosing large numbers until the number is 
prime. For the elliptic curve cryptosystem Ed25519 and symmetric cipher AES see 
Chap. 2, the private keys are randomly drawn 256 or 128 bit numbers. Apart from 
common pitfalls, such as improper use of key derivation functions, the most crucial 
property of key creation is a good source of randomness (see Chap. 7) with sufficient 
entropy [1]. 


4.2.1. Key Storage 


Once keys are generated, they must be stored securely. Hardware security modules 
(HSM) are commonly used to protect the confidentiality of keys (see Chap. 16). This 
is essential, especially in the case of key hierarchies, where one key can be used to 
generate or issue other keys, and a compromised key (especially the root key) would 
invalidate all security properties. While key creation and storage are difficult to 
implement correctly, there are widely accepted solutions, such as hardware random 
number generators (HRNG) and HSMs from well-established vendors. 


4.2.1.5 Key Distribution 


Key distribution is typically the most challenging part of key management, as 
multiple systems must correctly interact over potentially insecure channels. Key 
distribution works differently depending on the type of keys. Symmetric keys are 
typically pre-shared out-of-band, for example, by storing them in physical smart 
cards or distributing them via a trusted channel, such as a secure connection over the 
Internet. Asymmetric keys can be pre-shared or generated by the user and authorized 
through delegation via digital certificates, including the corresponding public key. 
This public key infrastructure (PKI) approach is widely used to authenticate web 
traffic through the web PKI, domain names through the DNS PKI (DNSSEC), 
and network resources through the resource PKI (RPKI). Delegation in a PKI 
typically involves proof of the ownership of a resource, such as domain names or IP 
prefix ranges. A challenge in key distribution is the revocation of keys that are no 
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longer valid, for example, because the key was compromised or the resource owner 
changed. 


4.2.1.4 Key Usage 


Once keys are distributed to the respective users, keys must be used according to 
the protocol specifications. Depending on the protocol, keys can be reused without 
implications, or key reuse can potentially compromise the security properties of the 
protocol. Therefore, a protocol must define policies, for example, whether the key 
is stored in memory or on a trusted platform module (TPM), how often a key is 
replaced (key rollover), or for which operation a key can be used. 


4.2.2 Trends 


Regarding key creation, hardware components such as HRNGs are becoming 
more accessible. Specialized HRNG, for example, optical quantum random num- 
ber generators, can generate randomness at high bandwidth [2], while low-cost 
HRNGs, for example, based on timing jitter in Field Programmable Gate Arrays 
(FPGAs), can generate randomness at reasonable rates while only consuming 
limited resources [3]. The cost of hardware security modules for storing keys varies 
significantly depending on their security guarantees and performance. However, 
with several competitors in this market (including Swiss HSM producers [4]), the 
cost may continue to decrease over time. In addition, recent advances in verifying 
the correct operation of HSMs show a promising trend for the security of HSMs [5]. 

Apart from HSMs, key management systems geared towards personal use, for 
example, based on smart cards distributed to citizens or on capabilities of ubiquitous 
devices, such as smartphones, can be envisioned in the future to provide digital 
identities for Swiss citizens. 

There are several improvements in the field of public key infrastructures. Free 
certificates are issued by certificate authorities such as Let's Encrypt through 
automatic certificate issuance, which increases the coverage of the web PKI [6]. 
After a relatively slow adoption in the first few years since its inception in 2012, the 
deployment of RPKI protecting IP address resources has been steadily increasing 
over the last three years, reaching 40% coverage today [7]. In addition to the 
increasing adoption of existing PKI systems, we observe advances in solving the 
problems of revocation [8], lack of flexibility of relying parties [9], and efficient 
distribution of symmetric keys [10]. 
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4.3 Consequences for Switzerland 


For the military, secure key management is essential to maintain autonomy and 
protect against foreign and domestic adversaries. Single entities that can impact 
the operation or security of the key management system are potential threats that 
must be assessed carefully. An example of such an entity is a kill switch that can 
shut down a large portion of the (Internet) communication [11]. In the commercial 
sector, depending on the sensitivity of data, separate key management systems are 
already in use today, as shown by the SCION-based secure swiss finance network 
(SSEN), which provides high availability and security for communication between 
Swiss banks. 


4.3.1 Implementation Possibilities: Make or Buy 


For the military, buying a key management system or developing a custom one 
represents a fundamental choice. The main reason for developing a system is 
that in the military, there is a large amount of knowledge and experience in key 
management on various aspects, such as key storage and distribution. On the 
other hand, purchasing a standard key management protocol from a trusted vendor 
might facilitate collaboration with foreign entities while not absorbing the limited 
development resources of the military. 

Civil society and businesses need more incentives to develop their key manage- 
ment system due to the lack of know-how and high cost. The exception could be a 
security-affine IT company using the reputation of Switzerland as a "safe" country 
to market the developed product (see Securosys [4]). For both sectors, buying is 
the natural choice as it allows for easier interoperability with other organizations, 
typically at a lower cost (Table 4.1). 


4.3.2 Variations and Recommendation 


The adversary model is an important aspect to consider when investing in a 
key management system. For example, the system may need to provide quantum 
resilience to remain confidential for an extended period, or it may be sufficient to 
consider state-of-the-art adversaries. For the former, a hybrid approach combining 
symmetric and asymmetric keys, such as TLS hybrid key exchange [12], can be a 
good solution. Such an approach benefits from the quantum resilience of symmetric 
cryptosystems [13] and the valuable properties of public-key cryptosystems. 
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Table 4.1 Implementation possibilities for different sectors 


Military 
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Make Buy 
Pros Cons Pros Cons 
Ample existing None Easier  collab- Risk of back- 
experience and oration with|doors that are 


knowledge foreign armed difficult to de- 
forces tect 
Civil Society None Costs and diffi-|Beneficial  for|None 
culty to get it compatibility 
right between various 
organizations 
Economy Use global|Costs and diffi- Many com-|Risk of back- 
reputation — of|culty to get it|mercial key|doors that en- 
Switzerland as a right management able industrial 
safe country to systems | avail-|espionage 
market the key able 


management 
product 


4.4 Conclusion 


There are well-established standards for key management, e.g., FIPS 140-3 [14] 
for hardware security modules or random number generators which provide a 
measurable quality for key management systems. Furthermore, although many 
commercial key management systems exist from reputable vendors, Swiss IT 
security companies can potentially enter the key management market by leveraging 
the trust placed in Switzerland as a safe country. Finally, recent research on PKI 
explores ways to have more flexible notions of trust without the reliance on globally 
trusted entities, solves the revocation problem, and efficiently provides symmetric 
keys between users. 
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Chapter 5 A 
Hash Functions Geek for 


Urs Wagner and Thomas Lugrin 


5.1 Introduction 


Hash functions are one-way functions that map arbitrary-length input to fixed- 
length output. Cryptographic hash functions enjoy additional properties, making 
them suitable for many cryptographic applications. Established hash functions are 
considered secure, and no significant development is expected in this area. Insecure 
hash functions should be discarded, and existing secure hash functions should be 
promoted and adequately used. 


5.2 Analysis 


Hash functions have a wide range of cryptographic applications, such as: 


e Integrity check: Files having the same hash value are supposedly equal. Hence, 
an unchanged hash value indicates an unchanged file. 

e Password storage: The hash value of a password does not reveal any information 
on the password. Hence, passwords should be stored suitably hashed on the 
server side. 

* Signatures: In digital signatures, message hashes are signed rather than the whole 
message itself (see Chap. 15). 

* MACs: By carefully combining a secret key with the input data, hash functions 
can be used to compute Message Authentication Codes (MACs) that guarantee 
the authenticity of the data, e.g., in HMACS [1]. 
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* Key derivation: Small changes in the input lead to a random-looking change 
in the output (diffusion property). That makes them useful in key derivation 
functions [2]. 


There exist standardized hash functions that are considered secure, i.e., they satisfy 
the required properties. We are unaware of a quantum algorithm that poses a general 
risk for standard hash functions. For example, the asymptotically quadratic speedup 
of Grover's quantum search algorithm [3] can be countered using hash functions of 
sufficient length. 


5.2.1 Definition 


Cryptographic hash functions are functions mapping input of arbitrary length to a 
fixed-size output and having some additional properties that can be formulated as 
hard problems [4] : 


e Pre-image resistance: It is hard to find an input that maps to a given hash value. 

* Second pre-image resistance: It is hard to find an input that maps to the same 
value as a given different input. 

* Collision resistance: It is hard to find two input values that map to the same value. 


Hash functions having these properties are considered secure and are suitable for 
a wide range of cryptographic applications. On the contrary, the hash function is 
considered broken as soon as one of the above three problems can be solved by 
brute force or significantly faster than by brute force. 


5.2.2 Trends 


The last competition to find and standardize a new Secure Hash Algorithm (SHA- 
3) ended in 2012 [5] with the winner's announcement, namely Keccak. However, 
both SHA-3 (FIPS PUB 202, [6]) and its predecessor SHA-2 (FIPS PUB 180- 
4, [7]) with a minimal length of 256 bits are considered secure (concerning the 
properties mentioned in Sect. 5.2.1) and we see no indication that this will change 
in the next few years. Furthermore, other hash functions are considered secure (e.g., 
BLAKE) [8]. We, therefore, consider a significant development in this area unlikely. 


5.3 Consequences for Switzerland 


Switzerland should continue to use and promote the use of cryptographically secure 
and standardized hash functions. 
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5.3.1 Implementation Possibilities 


Standardized hash functions considered secure in Sect. 5.2.1 exist, and open-source 
implementations thereof can be used at no cost. There is hence no need for 
Switzerland to develop its hash functions. 

The security properties required from hash functions depend on the intended 
purpose. For example, a collision attack on the used hash functions has catastrophic 
consequences when it is used in signature schemes (see [9] for an attack scenario), 
whereas this is not necessarily problematic when it is used in HMACs. Nevertheless, 
insecure hash functions should not be used anymore, independently of their area of 
application. 

Numerous hash functions are considered secure concerning the properties men- 
tioned in 5.2.1; their design and properties differ. For example, SHA-2 is vulnerable 
to length extension attacks, whereas SHA-3 is not [8]. This is why hash functions 
cannot be used interchangeably and should be chosen carefully depending on the 
intended purpose. 

There exist a wide range of cryptographic applications that make use of hash 
functions. The US National Institute of Standards and Technology (NIST) publishes 
standards for hash functions (FIPS 180-4 in [7], FIPS 202 in [6]) as well as methods 
making use of hash functions (e.g., HMAC in FIPS 198-1, HKDF in SP 800-56A/B, 
digital signatures in FIPS 186-5). 


5.4 Conclusion 


Hash functions have been in use in cryptographic applications for a long time. There 
exist established hash functions, and their pitfalls are known and documented. The 
development in computing power, including Quantum Computers, is not expected 
to yield a general problem with hash functions in the foreseeable future. As 
à consequence, not much development in this area is expected. Insecure hash 
functions should be discarded and existing secure hash functions adequately used. 
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Chapter 6 A) 
Zero-Knowledge Proof ers 


Imad Aad 


6.1 Introduction 


Zero-knowledge proofs (ZKPs) are techniques to verify claims without revealing 
the information itself. In this process, a “prover” shares proof of their claim with 
a "verifier who then verifies the accuracy of the proof without learning any 
additional information. ZKPs can be either interactive, where multiple interactions 
are needed to reach near-certainty, or non-interactive, where the proof can be 
verified in a single shot. One example of a non-interactive ZKP is ZKSNARK, which 
is succinct and efficient for storage cost and allows the result of a computation to 
be used as a statement. The key difference between interactive and non-interactive 
ZKPs is that the latter replaces the verifier’s random challenges with a common 
reference value, allowing the proof to be transferred to third parties. 


6.2 Analysis 


A conventional verification paradigm typically involves a “verifier” and a “prover,” 
where the former does not trust the latter prior to the verification process (for 
example, a user proving his age to a service provider). However, it is assumed that 
the user trusts that the service provider will not misuse the shared data, which often 
shows to be a flawed assumption (e.g. the service provider selling user data to third 
parties) [1—3]. With the massive proliferation of online services, and their providers 
tending to diversify their businesses and monetizing the data assets at hand, there is 
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a need to rethink the trust the user puts in the service provider (i.e., how much the 
prover trusts the verifier). Optimally, the prover should share the proof of his claim 
with the verifier without revealing any additional information (e.g., sharing proof of 
adulthood instead of the date of birth). 


6.2.1 Definition 


Conceived in 1985, Zero-Knowledge Proofs (ZKP) are techniques to verify claims 
regarding some given information without revealing the information itself. Various 
"basic" examples can be found in the literature [1, 4]: 


* Alice needs to prove to Bob, who is color-blind, that two balls have different 
colors: 

Bob conceals whether he should swap the balls before showing them to Alice. 
Alice then tells whether they were swapped or not. After repeating the experiment 
several times, Bob can get almost sure whether Alice is telling the truth (1.e., 
the balls have different colors) without learning any extra information (e.g., the 
colors of the balls) 

* Alice proves to Bob that she knows the code to open a hidden door connecting 
two tunnels without revealing the code itself: 

Bob instructs Alice on which tunnel to go out from outside the tunnels. Then, 
after repeating the experiment several times, Bob can get almost sure whether 
Alice knows the code of the door connecting the tunnels without learning the 
code itself. 


Note that ZKPs do not prove things with certainty. Instead, the process is repeated 
as often as needed, eventually reaching near-certainty [2]. 
A ZKP method must satisfy three criteria [2]: 


* Completeness: If the information provided by the prover is accurate, then a ZKP 
method must enable the verifier to verify that the prover is telling the truth. 

* Soundness: If the information provided by the prover is false, then a ZKP method 
must allow the verifier to refute that the prover is telling the truth. 

* Zero-knowledge: The method must reveal to the verifier nothing other than 
whether the prover is telling the truth. 


Types of ZKPs: The “basic” examples described above are called “Interactive 
ZKPs". They share two common properties: 


* Numerous interactions are needed between the prover and the verifier until the 
latter gets convinced. 

* The proof cannot be transferred to third parties (e.g. by recording) who would 
not trust that the verifier did not coordinate his choices with the prover [4]. 


Non-interactive ZKPs also exist where the proof delivered by the prover can be 
verified in a single shot [5]. This type of ZKPs requires more computational power 
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than interactive ZKPs. Unlike interactive ZKPs, non-interactive ZKPs apply to large 
groups of verifiers since the proof can be transferred to third parties, which is a big 
advantage w.r.t. interactive ZKP solutions. 

One non-interactive ZKP solution is called zkKSNARK (zero-knowledge Succinct 
Non-interactive Argument of Knowledge) [4, 6, 7]. It has, besides zero-knowledge 
and non-interactiveness, the following properties: 


* Succinct Regardless of the problem size, the proof is 288 bytes, which is 
convenient for storage cost (e.g., on a blockchain) 

* Argument (i.e., claim of the prover): The result of any execution of a computation 
can be used as a statement/argument. 


In order to move from interactive to non-interactive, ZKSNARK replaces the 
verifier’s random challenges to the prover with a “common reference value,” such as 
a random string commonly agreed upon and accessible to all. At the same time, no 
party influences the actual random choice. Based on the “common reference value,” 
the prover simulates the challenges and constructs the proof. The verifier then re- 
runs the experiment for verification. 


6.2.2 Trends 


ZKPs are still in their early days. Open initiatives and standardization efforts involve 
industry, academia, and technical and non-technical specialists. The potential impact 
is well beyond 2025. 


6.3 Consequences for Switzerland 


6.3.1 Public Sector 


ZKPs also bring promising research in “zero knowledge treaty verification". The 
most famous example is "nuclear warhead verification", where ZKPs can give 
information about the nuclear warheads without revealing closed secret designs. The 
details of “nuclear warhead verification" are based on the comparison of physical 
properties of objects (thus the term “physical ZKP") which is out of the scope of 
this article. However, this opens the door for a wide range of other applications in 
international treaties, controls, and mediations. 

Being very active on the international level in treaties and mediations, Switzer- 
land can benefit from ZKPs for specific checks without revealing additional secret 
information, which often hinders negotiations between opposing parties. Identifying 
the specific use cases and the corresponding ZKP solutions can be a potential 
collaboration between authorities and academia. 
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6.3.2 Private Sector 


ZKP can have an impact in different areas: 


* ZKPs could revolutionize the current web usage in favor of Web3 projects [8]. 
Web3 (see Chap.34) is the new iteration of the World Wide Web where 
decentralization and blockchain technologies are vital factors, compared to Web 
2.0, where content is centralized in a small group of big tech companies [9]. 
In addition, Web3 is argued to provide more data security, user privacy, and 
scalability. However, Web3 is another debatable question [9]. 

* SSI: in the context of electronic identities, Self-Sovereign IDs is a concept where 
the end-user is in control of what attributes (e.g the age) are shared and how 
(e.g. > 18, not the exact age nor date of birth), and where trust is decentralized. 
Many electronic identifiers and eWallets worldwide, including Switzerland, are 
planned to follow the SSI concept. Furthermore, one of the SSI principles is data 
minimization, which implicitly includes ZKPs where applicable. Therefore, we 
should expect to see ZKP increasingly used in specific use-cases [3]. 

* PETs: ZKPs can be seen as privacy-enhancing technologies (PETs) applicable 
to various use cases, as previously described. However, they require personnel 
with good knowledge of the technology and non-negligible overhead for imple- 
menting them. Therefore, the incentive for using ZKPs must be strong enough 
to overcome the overhead. In addition, it is still early to say which factors would 
push for their adoption: security consideration (e.g, No data breaches because 
no data have been shared), marketing/reputation, and regulations (e.g., GDPR, 
which requires data minimization). 


Internationally, the adoption of PETs in the private sector is often slower than 
desired and used as a marketing argument: differential privacy at Google and Apple, 
end-to-end encryption in messaging applications. ZKPs can be expected to have 
similar adoptions. 

In the Swiss market, a couple of enterprises offer privacy-based digital services. 
For instance, Threema for messaging and Proton for a broader range of services. 
With the emergence of eID and eWallets, we can expect a similar small adoption 
of ZKPs, in the use cases where they apply. Similarly, with the emergence of new 
ZKPs use-cases, we can expect more privacy-based services. However, the market 
share of these privacy-based services is relatively small, with occasional boosts due 
to data leaks and scandals. This trend is likely to remain the same. 


6.3.3 Civil Society 


Like with end-to-end encrypted messaging or privacy-preserving Covid tracing, 
PETs help increase the trustworthiness of the applications, the companies, or the 
governments collecting the data, which benefits the economy and administrative 
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efficiencies. ZKPs will play a similar role. However, as mentioned before, the 
market share of these privacy-based services is relatively small, with occasional 
boosts due to data leaks and scandals. This trend is likely to remain the same. 


6.3.4 Implementation Possibilities: Make or Buy 


There are different ZKPs for different use cases, and most of these are either being 
researched or open-source implementations. So far, Buying is not an option. 


6.3.5 Variation and Recommendation 


The most prominent implementation of ZKPs is Zcash for anonymous cryptocur- 
rencies. However, there is a slight advantage for Switzerland to play a role there. 
However, the basic idea of ZKP, which is sharing the minimum necessary provable 
information without revealing anything else, can have high utility in the banking 
sector and in the mediation activities between conflicting parties, where Switzerland 
is well placed. Therefore, an interdisciplinary working group to investigate these 
potentials is worth establishing. 


6.4 Conclusion 


ZKPs are in their early stages, and research is still widening their application range 
and use cases. 
For the industry (swiss or worldwide), this may bring new opportunities to: 


* Using the (new) PET as a differentiation factor (like Threema and Proton do for 
messaging and email) 
e Adopting ZKP where applicable, therefore improving the security of data sharing 


For civil society, where ever ZKPs apply, this is an additional way to secure 
personal data, reducing the impacts of data breaches. 

For the Swiss government and military, ZKPs may help improve controls and 
mediation between conflicting parties. Therefore it is recommended to investigate 
the potentials further here and keep observing the evolution of ZKPs. 
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Chapter 7 A 
Random Number Generator EEr 


Thomas Lugrin 


7.1 Introduction 


Most modern encryption and authentication methods rely on the generation of ran- 
dom numbers [1], such as for key generation, initial vectors, or nonces. Therefore, 
a reliable source of entropy is fundamental in making encryption and authentication 
methods secure—weak sources of randomness can compromise otherwise secure 
encryption and authentication schemes. 


7.2 Analysis 


7.2.1 Definition 


A Random Number Generator (RNG) is cryptographically secure if the sequences 
of numbers that it generates are unpredictable (Section 3.3.1 of [2]). RNGs are 
typically grouped in two categories: Pseudo-Random Number Generators (PRNG) 
and True Random Number Generators (TRNG). 

PRNGs depend on a seed value, from which a seemingly erratic albeit determin- 
istic sequence is produced; it is a quick and debug-friendly version of RNGs often 
used in statistical applications. They are not suitable for cryptographic applications 
in isolation. However, they may be used when correctly combined (seeded) with a 
reliable entropy source. 
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TRNGs rely on physical phenomena, e.g., radioactive decay, thermal noise, 
small-scale hardware activity, or particular hardware based on quantum physics 
(abbreviated QRNG; see for example, Chapter 2 of [3]). As it is hard to balance 
physical processes such that the probability of 0’s and 1’s is exactly 1⁄2, the output of 
TRNGs must be adequately post-processed. Secure mixing functions such as hash 
functions or symmetric encryption schemes may produce unbiased output [4]. These 
mixing functions also remove serial dependence between bits. An excellent example 
of such an implementation is the Linux kernel RNG /dev/urandom [5]. 

Quantum RNGs are often presented as the only means to protect infrastructure 
against future powerful quantum computers. However, this is misleading, as any 
reliable source of randomness remains unpredictable against any adversary with 
arbitrary computing power. 


7.2.2 Trends 


Small-size, low-cost QRNGs have already been integrated into off-the-shelf devices 
such as smartphones, computers, and hardware security modules. 


7.3 Consequences for Switzerland 


People, businesses, and authorities in Switzerland should continue using and 
promoting research on secure random hardware number generators. This will ensure 
that they can benefit from the newest technological advances when they become 
available. 


7.3.1 Implementation Possibilities: Make or Buy 


Using secure RNGs that cannot be manipulated or tampered with and whose output 
is not predictable is fundamental as a basis for encryption methods. Applications 
involving particularly sensitive data can combine the output from two or more 
independent sources of randomness for improved security. PRNGs, which produce 
deterministic outcomes, must not be used in cryptography in isolation and must at 
least blend in TRNG’s randomness. 

Open-source solutions such as the Linux kernel RNG /dev/urandom are 
considered reliable [6]. Hardware products dedicated to producing randomness from 
reliable and reputable producers can be used as a complement after appropriate 
verification and approval. 

Several companies are operating in the TRNG market, e.g., developing QRNG 
chips that can be integrated into hardware. A few companies selling QRNG chips 
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Table 7.1 Different companies active in the QRNG field 


Company Description Technology |Country 
ID Quantique  |Technology pioneers, well es-|Photonic (Op- Switzerland 
tablished, integrated into a chip, |tical) (Linked to 
promote cost-effectiveness. South Korea 
through SK 
Telecom) 
Quintessence Well established, fastest genera-|Barrier Tun-|Australia 
Labs tors, not chip integrated neling. 
RandomPower |Newcomers, growing, qualifica- In-silico Italy 
tion and MVP in place, offers 
new technology. RUAG Switzer- 
land ran tests on their products. 


or systems are listed in Table 7.1. These QRNG chips do not offer stronger 
guarantees than other TRNGs; they are just another means of potentially generating 
cryptographically secure randomness. 


7.3.2 Variation and Recommendation 


RNGs should be appropriately isolated and integrity protected to prevent tampering 
or access to internal states that could leak information about the random sequence. 
Combining the output of several RNGs (e.g., using XOR) can mitigate the potential 
weaknesses of individual RNGs. 

The US National Institute of Standards and Technology (NIST) published a 
range of hypothesis tests [7] that can provide evidence of potentially complex 
dependence patterns. Its German equivalent (Bundesamt für Sicherheit in der 
Informationstechnik, BSI) also suggests a suite of tests [8]. These tests do not 
provide proof of randomness; they can, at best, reject the null hypothesis that a 
specific dependence pattern occurs in a sequence at a given confidence level. The 
longer the test sequence, the more confidence can be placed in the test results. 
A good understanding of the inner workings of a TRNG is key to assuring the 
unpredictability of its output. 


7.4 Conclusion 


A reliable source of randomness is critical to ensuring the security of most modern 
encryption and authentication systems. Unfortunately, pseudo-random number 
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generators are not suited in such a context, except if suitably combined with a 
reliable entropy source. 

Proving that a source of bits is truly random is impossible on finite sequences, 
but statistical test suites exist that provide evidence against non-randomness. Good 
physical sources of entropy must be chained with robust post-processing techniques 
to remove biases and serial dependencies. 

Standard tools like /dev/urandom on Linux systems provide a good source 
of random numbers based on multiple hardware-based entropy sources. Additional 
security can be achieved by combining independent RNGs, typically based on 
physical processes of different types, e.g., quantum physics. 
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Chapter 8 A) 
Homomorphic Encryption geak 


Jean-Pierre Hubaux 


8.1 Introduction 


Homomorphic Encryption (HE) is a technique in cryptography that allows for per- 
forming operations on encrypted data. The encrypted result can then be decrypted 
to obtain the result of the operation, making it possible to perform computations 
on sensitive data without revealing it. However, with recent advancements and the 
increasing demand for data protection, HE is expected to become more relevant 
soon and be used in many industries. In Switzerland, IBM, Inpher, and Tune Insight 
are among the companies that have developed HE libraries and offer solutions for 
secure computation. These solutions can provide better protection and reduce the 
vulnerability of data entrusted to Swiss companies. 


8.2 Definition and Analysis 


In some application areas, performing operations (additions, multiplications, etc.) 
on the encrypted form of data is desirable. This is precisely what homomorphic 
encryption does. The encrypted result can then be decrypted to obtain the result of 
the operation. The obtained result will be the same as if the computation had been 
performed in cleartext. This technique makes it possible to ask a third party, such as 
a cloud service provider, to perform operations on data that it hosts on behalf of a 
customer, but without seeing this data. 
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The basic idea is several decades old, and partial solutions were already proposed 
in the late twentieth century. In 2009, Craig Gentry proved that it was possible to 
operate under fully homomorphic encryption (FHE) to support any computation [1]. 
Since then, many improvements were made, notably to increase performance. 

For sensitive data, such as healthcare information, homomorphic encryption 
can enable new services by removing privacy barriers inhibiting data sharing, or 
increasing the security of existing services. For example, due to medical data privacy 
concerns, predictive analytics in healthcare can be hard to apply via a third-party 
service provider. However, these privacy concerns are diminished if the predictive 
analytics service provider can operate on encrypted data instead. Moreover, even if 
the service provider's system is compromised, the data would remain secure [2]. 

For many years, homomorphic encryption has suffered from two significant 
weaknesses: Limitations on the nature of the computations that could be performed 
and high computational costs (and thus higher energy consumption and slower 
execution). The former has been addressed by the advent of the already mentioned 
FHE and the subsequent enhancements brought after that; polynomials of the 
appropriate degree can approximate non-polynomial functions. In addition, several 
software optimizations have mitigated the latter. Nevertheless, many additional 
improvements (several orders of magnitude) are expected by deploying specialized 
hardware accelerators that should become available by 2025. 


8.2.1 Trends 


Well-established cryptographic algorithms and security protocols provide vital data 
protection at rest and in transit. Homomorphic encryption fills the critical data 
gap in processing, a need that will become more relevant in the future. This trend 
will be fueled by an increasing demand for data protection (motivated notably by 
numerous and recent data leakage scandals, including in Switzerland), increased 
performance of the software libraries, remarkable progress on the front of fully 
homomorphic encryption, hardware accelerators, better development tools, and 
progress on standardization [3, 4]. 

In particular, homomorphic encryption can be competitive compared to 
hardware-based solutions (enclaves or Trusted Execution Environments as 
described in Chap. 18). Indeed, the latter suffer from (i) the need to trust a 
hardware vendor, (ii) side-channel attacks, and (iii) high costs when systems need 
to be retrofitted after the discovery of a vulnerability. However, the equivalent 
problems are less salient with HE. Indeed, (i) trusting a software vendor is easier 
to achieve because its code can be scrutinized; moreover, (ii) the absence of side- 
channel attacks can be demonstrated by mathematical proofs; finally, (iii) hardware 
accelerators are meant to be replaced only rarely. 
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8.3 Consequences for Switzerland 


On the business side, considering how heavily Switzerland is involved in the service 
sector, including data-intense activities, it is expected that homomorphic encryption 
can be of high relevance. In particular, better protection can reduce the vulnerability 
of data entrusted to Swiss companies. 

In Switzerland, the three main industry-level activities related to HE are as 
follows. In its Zurich Research Lab, IBM has developed an HE library called 
HElib. HElib is a free and open-source cross-platform software. It implements 
various forms of homomorphic encryption. It is based on the Brakerski-Gentry- 
Vaikuntanathan (BGV) fully homomorphic encryption scheme. It also includes 
several optimizations, such as Smart-Vercauteren ciphertext packing techniques. It 
is written in C++. 

The US-Swiss company Inpher has developed an open-source HE library called 
TFHE [5]. It is written in C/C++ and based on the ring variant of the Gentry, Sahai, 
and Waters (GSW) cryptosystem. TFHE is distinct from the company's flagship 
product, XOR, a software product providing secure multi-party computation fea- 
tures. However, XOR and TFHE can be used jointly in some cases. The company is 
funded mainly by US banks and operates primarily in that sector, but it also invests 
in the health sector. 

Finally, the EPFL spin-off Tune Insight SA that was founded in 2021 has 
developed a HE library called Lattigo, written in GoLang [6]. The library is based 
on the Cheon-Kim-Kim-Song (CKKS) crypto scheme and thus provides floating 
point operations and supports fast bootstrapping. 

For cloud computing, homomorphic encryption can respond to the legal uncer- 
tainty generated by the Schrems II ruling of the European Court of Justice. Indeed, 
Schrems II has challenged the agreement that was previously set up between the 
US and EU authorities in terms of processing of data related to EU citizens by 
US companies [7]. Homomorphic encryption is a response to this concern because, 
with HE, Swiss-based users can use US-operated cloud services while retaining the 
exclusive knowledge of their decryption keys and, therefore, all their data. 

For an overview of HE libraries (including those unrelated to Switzerland), the 
reader is referred to the Wikipedia article on HE [2]. For applications aiming at 
building intelligence out of siloed data, homomorphic encryption can be combined 
with secure multi-party computation (SMC) which is described in Chap. 17. 


8.3.1 Implementation Possibilities: Make or Buy 


As with cryptographic solutions in general, it is not recommended to develop propri- 
etary HE implementations, but rather to rely on well-established and standardized 
solutions. 
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8.3.2 Variations and Recommendation 


At the time of this writing (November 2022), HE is still in a maturation phase, and 
much more information can be found about the HE tools themselves than about 
real-world applications. Nevertheless, we briefly provide three real-world examples 
related to the three companies mentioned above with Swiss-based technical activi- 
ties on HE. 

Organizations can use IBM’s HElib to scale their stream processing applications 
into the infrastructure-as-a-service clouds elastically. Moreover, the proposed solu- 
tion not only elastically scales data stream processing applications into public clouds 
but also preserves the privacy of such applications [8]. 

Inpher's technical solutions, XOR and TFHE, can be used to support privacy- 
preserving techniques in financial services. More specifically, these tools can be 
instrumental in fighting financial crime such as money laundering and enable 
enforcement use cases [9]. 

Finally, armasuisse and Tune Insight SA are collaborating on sharing cyberse- 
curity intelligence [10]. Tune Insight has already deployed its privacy-preserving 
distributed data analysis solution among several university hospitals. 


8.4 Conclusion 


Homomorphic encryption can be a transformative technology to reinforce digital 
trust. The availability of domestic research and solutions is a competitive advantage 
for Switzerland. 
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Chapter 9 A 
Quantum Key Distribution PE 


Jasper Rödiger 


9.1 Introduction 


A new class of computers, so-called quantum computers, will soon be able to crack 
common encryption algorithms. Quantum Key Distribution (QKD) is a promising 
solution to stay secure in the quantum computer age, which is progressively getting 
industrialized in recent years. Worldwide, point-to-point QKD links are combined 
into larger and larger testbed networks, which approach more commercially usable 
networks. Topics like certification and standardization have become increasingly 
important for QKD. Since Switzerland is strong in the field of QKD in terms of 
academia and industry, it has the opportunity to produce QKD technology within 
the country successfully. 


9.2 Analysis 


9.2.1 Definition 


Quantum computers will soon thus endanger secure data traffic. Entirely new 
methods will therefore be needed to secure data transmission in the future. 
Nowadays, two leading families of cryptographic techniques are used to protect 
telecommunications. The first is symmetric encryption, see Chap. 2, such as AES, 
and the other is public-key cryptography, also known as asymmetric cryptography. 
The asymmetric cryptographic methods are often used to distribute the symmetric 
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keys needed for symmetric cryptographic methods to the communication partners. 
The sender and receiver each use different keys in these methods: a public key and a 
private key. With conventional computers, it takes much effort to deduce the private 
key from the public key and thus break the encryption. However, as soon as quantum 
computers with the necessary computing power are available, the Shor algorithm 
can calculate the private key quickly for many methods used today [1]. 

QKD uses the quantum states of individual photons, i.e., light particles, to send 
so-called qubits from one communication partner to the other and thus generate 
a symmetric and secure key [2]. This exploits the fact that individual photons 
cannot be copied due to the no-cloning theorem of quantum physics and that the 
measurement of photons leads to measurement errors due to the quantum mechan- 
ical uncertainty principle. By cleverly applying these laws and if an authenticated 
communication channel exists between the communication parties, they can gain an 
information-theoretic advantage over potential attackers. Furthermore, by suitable 
post-processing of the measured qubits, they can generate a sequence of coinciding 
bits only known to them, which they can then use as a key, e.g., in symmetric 
cryptography methods. 

Since the quantum key exchange is based on physical laws and not on the 
complexity of specific mathematical problems, the keys generated in this way can be 
used securely regardless of the computing power of quantum or classical computers 
and are thus future-proof. 


9.2.2 Trends 


There are many different QKD protocols in existence, which, based on the above- 
described principles, use different degrees of freedom and state preparation and 
measurement mechanisms. The maturity of the implementation and theoretical 
assessment of the different QKD protocols are vastly different. Some implemen- 
tations of those protocols are already quite mature, can be purchased as QKD 
solutions for point-to-point secure communication by different vendors, or are close 
to being purchasable. Worldwide, those point-to-point solutions are combined to 
testbed networks, which approach more commercially usable networks. 

The largest of those QKD networks is the quantum backbone network built in 
China from 2013 to 2017, which spans over 2000 km of fiber between Beijing and 
Shanghai, including the satellite Micius offering satellite-based QKD links [3]. It 
is being expanded in 2017 to cover China by 2025. In the EU, since 2019, the 
EuroQCI initiative aims to build a secure quantum communication infrastructure 
(QCI) that will span the whole EU, including its overseas territories through 
fiber and satellite links [4]. All 27 EU member states have signed the EuroQCI 
declaration, committing themselves to the EuroQCI initiative. EuroQCT's goal is 
to have a fully operational QCI by 2027. The US company Battelle and the swiss 
company IDQuantique implemented a QKD network in the US in 2013 between 
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Columbus and Dublin in Ohio, namely the Battelle Quantum Network (BQN) [5]. 
It is their declared goal to extend the BQN to span 700 km. 

Another sign that QKD is progressively getting industrialized can be observed 
by examining standardization endeavors. The most critical standardization organi- 
zations regarding QKD are ETSI and ITU. The first standardization activity was 
already started in 2008 by the ETSI by establishing the Industry Specification Group 
on QKD. Later, the ITU started in the realm of QKD and remained very active. 
Additionally, cybersecurity authorities, like, e.g., the German BSI or the French 
ANSSI, will play an essential role in the certification of QKD products [6]. However, 
governmental agencies still point out the lack of scalability [7] or even oppose its 
use for business-critical networks [8]. 


9.3 Consequences for Switzerland 


Academically, Switzerland is one of the leading countries worldwide in the 
QKD [9]. This also affects the know-how transfer into the industry. One prominent 
example is the company IDQuantique, one of the first companies to bring QKD 
products to the market in 2004 and has remained an essential company in this area. 


9.3.1 Implementation Possibilities: Make or Buy 


Since there is already much know-how in Switzerland, both academically and 
in the private industry, Switzerland is in an excellent position to produce QKD 
technology within the country if QKD technology is further fostered. Due to the 
expected demand, the QKD market is currently massively growing. Therefore, it is 
reasonable to expect more QKD vendors to emerge, exploring the different possible 
technologies including continuous-variable (CV) and discrete-variable (DV) QKD 
modules. The best technologies may be depending on the exact use case (Table 9.1). 


9.3.2 Variations and Recommendation 


Since the QKD market is growing, Switzerland can keep its advantages in the field 
of QKD if the field is further supported [10]. 
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Table 9.1 Implementations possibilities for different sectors 


Make Buy 
Pros Cons Pros Cons 
Military Full control|The Market is|A lot of dif-|Less control 
over develop-|still developing|ferent vendorsjover products 
ment and changing |and__ technolo- 
gies expect to 
emerge in the 
next five years 


Civil Society |Switzerland None A lot of dif- None 
is in a good ferent vendors 
position, aca- and  technolo- 
demically and gies expect to 
industry-wise emerge in the 

next five years 

Economy Switzerland None Switzerland is|None 
is in a good in a good posi- 
position, aca- tion already 


demically and 
industry-wise 


9.4 Conclusion 


The QKD market is developing. Industrialization takes place in terms of publicly 
funded projects and private actors. Since Switzerland is vital in the field of QKD 
in terms of academia and industry, it has the opportunity to produce and export 
QKD technology. However, it is necessary to know that influential cybersecurity 
authorities do not recommend using this technology at a broader level as there are 
cheaper alternatives for the mass market. 
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Chapter 10 A) 
Post-quantum Cryptography ARA 


Linus Gasser 


10.1 Introduction 


The chapter about Post-quantum Cryptography discusses the need for a new 
generation of cryptography to protect against future quantum computers. These 
computers will likely reverse many of the one-way functions used in current asym- 
metric encryption methods, making encrypted data vulnerable. The US government 
advocates vigorously to implement post-quantum algorithms by 2035, as an enemy 
could decrypt encrypted data or messages copied today. Symmetric encryption is 
not significantly faster for quantum computers to break, but asymmetric encryption, 
which relies on one-way functions, is vulnerable. NIST started a Post-Quantum 
Cryptography (PQC) challenge in 2016, with four algorithms selected as safe 
against quantum computers in 2022. The first implementations have started to 
appear, combining PQC with classical algorithms for added security. The research 
will continue to find faster and more secure algorithms, but no known cryptographic 
algorithm is provably secure against quantum computers and allows homomorphic 
encryption. Hybrid encryption is becoming more common, but protocols without 
a fallback must be considered carefully, as some quantum-safe algorithms may be 
attackable. 
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10.2 Analysis 


Cryptography is widely used to encrypt (hide) and sign (prove the source) electronic 
documents and internet traffic. The underlying mathematical concept is a one-way 
function [1] that makes it easy to encrypt but challenging to decrypt without a secret. 
However, future quantum computers will likely be able to reverse many of these one- 
way functions that are widely used and allow the calculation of the secret needed to 
decrypt the data. 

The US government urges its services to implement post-quantum algorithms 
by 2035 [2]. The urgency comes from the fact that even if quantum computers are 
expected to be available after that date, an enemy who copied encrypted data or 
encrypted messages might decrypt them at this point. For data with a long secrecy 
requirement, it is thus crucial to start using quantum-safe encryption well before 
such quantum computers exist. 


10.2.1 Definition 


Current encryption algorithms can be separated into two groups: symmetric encryp- 
tion (see Chap. 2) and asymmetric encryption (see Chap. 3). 

As of 2022, quantum computers are not significantly faster at breaking symmetric 
cryptography [3]. However, asymmetric encryption is based on one-way functions 
which can take a random, secret key and create a corresponding public key. The 
inverse function, taking a public key, and finding the secret key, is supposed to be 
hard for the two most commonly used algorithms, namely RSA and Elliptic Curves. 

Future quantum computers should be able to speed up this reversing operation 
and make it possible to use a public key to find the corresponding private key 
within minutes instead of eons. They will use the Shor algorithm to break the 
one-way functions of RSA and Elliptic Curves. However, as seen in [4], there are 
still exponential advancements in terms of the number of qubits and their quality 
(error rate) required until quantum computers are powerful enough to run the Shor 
algorithm for today's asymmetric encryption algorithms. 

Various propositions exist for one-way functions where quantum computers 
do not have an advantage. There are a couple of challenges: similar to one-way 
functions in widespread use today, these new ones need to be secure against any type 
of attack. It is not because nobody found an attack that would break an algorithm 
that the algorithm is secure as it often takes years to find such attacks, as seen in the 
example of two entries in the NIST post-quantum standardization effort [5]. Another 
problem is the encryption's speed, the keys' size, and the corresponding messages. 
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10.2.2 Trends 


NIST started a Post-Quantum Cryptography (PQC) challenge in 2016, intending to 
find suitable algorithms for Public-key Encryption and Key-establishment as well as 
Digital Signature Algorithms. All cryptographers can participate in both proposing 
new algorithms, as well as in attacking existing algorithms. In July 2022, NIST 
published four algorithms that it believes to be safe against quantum computers [6]. 

Now that the winners of the NIST PQC challenge are known, the first imple- 
mentations have started to appear. Because these algorithms are still very new, most 
implementations combine a PQC algorithm with a classical one. This is done so 
that even if one of the two turns out to be broken, the security of the other algorithm 
remains. One downside of the NIST PQC winners is that there is only one encryption 
algorithm but three signature algorithms. This means that if the encryption algorithm 
1s broken, no alternative exists. 

Google already tested quantum-safe encryption [7], and the SSH application, 
used to connect a user to a remote computer securely, proposes a hybrid encryption 
scheme as of April ‘22 [8]. 

Of course, research will continue with the goal of finding faster, more compact, 
and more versatile algorithms than the ones being submitted to NIST. Nevertheless, 
most importantly, there is currently no known cryptographic algorithm that is 
provably secure against attacks from quantum computers that allows homomorphic 
encryption. 

More and more protocols will propose hybrid encryption, like SSH in [8], 
and later quantum-safe protocols only. However, the protocols that do not offer a 
fallback will have to be taken into account carefully, as there is a high probability 
that some of the currently proposed quantum-safe algorithms will turn out to be 
attackable either by quantum computers or even by classical computers. 


10.3 Consequences for Switzerland 


To understand why it is important to speed up the development and usage of 
quantum-safe algorithms, one has to look at Fig. 10.1: 


Research Implementation Secret Duration 
> 


Time to create a quantum computer capable 
of breaking current encryption algorithms 


Fig. 10.1 Timelines of development of new algorithms and development of quantum computers 
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Even if we do not know whether or when a quantum computer capable of 
breaking today's encryption algorithms will be available, this does not mean we 
should wait until we know to switch to quantum-safe algorithms. This is because we 
need to add the time for research on quantum-safe algorithms, transitioning to them 
(updating old software and replacing non-upgradable legacy systems), and most 
importantly, the duration for which something encrypted today needs to stay secret. 
If an adversary stores encrypted messages in the hope of being able to decrypt them 
later using a quantum computer, the usefulness of these secrets must have expired 
by the time a quantum computer gets available. 

This is true for both stored secrets and secret communications. As has been 
shown by the Snowden revelations, the NSA (and probably other secret services 
as well) is storing encrypted secrets and communications in the hope of being able 
to decrypt them at a later time [9]. For Switzerland, this means that it is of utmost 
importance for the banking and the military sector to drive the move to quantum- 
safe encryption. Otherwise, copies of the current safe data will be decrypted by third 
parties once quantum computers that can do so should become available. Stories 
about a quantum computer breaking a well-known algorithm like RAS-2048 will 
continue to emerge. But, they still do not achieve a scientific consensus [10]. 

For governments, one consequence is that future e-voting systems (see Chap. 23) 
need to be evaluated regarding their quantum-safe operations. If, for example, all 
encrypted votes are publicly available for verification, a future quantum computer 
might breach voting secrecy. On the other hand, businesses will mostly want to 
follow regulations and ensure that they implement the necessary and available 
technology. Otherwise, they might be penalized because they needed to implement 
better practices. 


10.3.1 Implementation Possibilities: Make or Buy 


Make: developing custom cryptographic algorithms is strongly discouraged since 
they are likely to be insecure. Custom implementations of existing algorithms (e.g., 
NIST candidates) might be considered, but usage (and review/analysis) of existing 
and well-tested implementations should be preferred. 

Buy: use an existing library—NIST candidates are supposed to be patent-free, 
and most are available as Open Source implementations (Table 10.1). 


10.3.2 Variations and Recommendation 


There are different options for quantum-safe implementations. The first one would 
be to implement the probable best algorithm available. The second would be a 
hybrid combination of classical and quantum-safe algorithms to get the most secure 
option. Moreover, to wait until a consensus emerges on the best algorithm existing 
(Table 10.2). 
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Table 10.1 Implementation possibilities for different sectors 
Make Buy 
Pros Cons Pros Cons 
Military Augment Potential error|Access to|Might contain 
legacy systems,}in implementa-|peer-reviewed |accidental or 
protection tion adding at- library purposeful 
against — back-|tack surface will backdoors 
doors leak 
Civil Society None None Use library None 
compatible 
with other 
services 
Economy Sell hardened|Liability in case|Faster — devel-|Less advantage 
library the library has|opment oflover competi- 
an error quantum-secure |tion 
products 
Table 10.2 Variation and recommendation for different sectors 
Military Civil Society Economy 
Pros Cons Pros Cons Pros Cons 
Wait No ex-/Secrets {Most easy|No e-|No cost [Liability 
pense will leak |solution  |voting issues 
Hybrid Maximum |Only fea-|More se- Only fea-|Security |Cost and 
protection |sible — for|curity sible forjandPR need to 
the most very few follow de- 
sensitive use-cases velopment 
data 
Quantume- Easier Might be/None Hassle None Need to be 
safe than — hy-|broken because it updated 
brid will need 
to change 


10.4 Conclusion 


For the time being, symmetric encryption is secure and a quantum computer will 
not be able to create a significant speedup over classical computers for decrypting 
messages. However, the estimations of if and when a quantum computer capable of 
breaking RSA and Elliptic Curves will become available differ significantly between 
experts. As Fig. 10.1 indicates, not switching to quantum-safe algorithms would 
mean that long-term secrets might get compromised. For this reason, switching 
to quantum-safe algorithms is critical for data that must remain secret for years 
(e.g., military secrets or e-voting data). For all other data, it is crucial to ensure 
that systems are at least crypto-agile (migration path exists) or already come with 
support for hybrid algorithms, primarily when they are widely used like SSH [8]. 
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While a complete migration to quantum-safe algorithms will only happen after 
2035 [11], the start for tests and migrating critical systems should start much 
earlier. For example, the military should start testing systems now and move systems 
requiring long-term security to quantum-safe algorithms well before 2035. The 
economy, more specifically banks, should start with testing at the latest in 2025 
and also consider having done most of the adaption by 2035. 
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Part II 
Low-Level Applications 


Chapter 11 A 
Functional Encryption ers 


Romain Gay 


11.1 Introduction 


Functional encryption is a cryptographic tool that gives users fine-grained access 
to encrypted data. Applications include situations where privacy and confidentiality 
conflict with practical data usage and aggregation, such as medical data or smart 
grid electricity consumption patterns. The benefits of functional encryption include 
built-in verifiability and the ability for the server to perform computations “blindly” 
on encrypted data while retaining the confidentiality of the plaintexts. The Swiss 
company Kudelsky Security is developing an open-source library for functional 
encryption. While developing a solution from scratch can improve performance, the 
more compelling case is to use existing technology for faster product development 
and a solution less prone to bugs. 


11.2 Analysis 


11.2.1 Definition 


Functional encryption provides users with fine-grained access to the encrypted 
data and permits the computation of specific functions on the protected plaintexts. 
Namely, data is encrypted using a public key, while restricted keys that correspond to 
particular functions are generated. Decryption recovers only the function evaluated 
on the plaintext. It is possible to fine-tune which information is revealed during 
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decryption, as opposed to the all-or-nothing access that standard encryption pro- 
vides [1]. 

Consider the simple example of private spam filtering. Incoming emails are 
encrypted using the recipient's public key. At the same time, the server has only a 
restricted key revealing whether such an email is spam without revealing the actual 
content of the email. Applications of Functional Encryption include many use cases 
where privacy and confidentiality conflict with practical data usage and aggregation, 
such as medical data or electric consumption patterns in smart grids. 

Like Homomorphic Encryption (see Chap. 8), Functional Encryption allows the 
server to compute “blindly” on the encrypted data retaining the confidentiality of 
the plaintexts. Unlike Homomorphic Encryption, however, Functional Encryption 
gives the server some well-chosen, partial information of the plaintexts in the clear, 
thanks to the restricted decrypting keys, which relieves the server from the need to 
interact with the user to extract useful information such as in the example of spam 
filtering. Moreover, Functional Encryption has a built-in verifiability property. This 
prevents the server from computing anything else than the function specified by the 
restricted decrypting key. 


11.2.2 Trends 


Traditional encryption schemes already address the need for confidential point- 
to-point communication. However, only advanced encryption schemes such as 
Functional Encryption can handle more sophisticated data sharing involving an 
untrusted cloud. Several technological trends are likely to accelerate the deployment 
of this new tool: 


* recent progress regarding the building of general purpose Functional Encryption 
that supports rich and complex classes of functions, performing advanced 
analytics of the encrypted plaintexts 

* efficiency improvement for schemes supporting simple functions, with the 
implementation of libraries and the application to real-life use cases, such as 
Privacy-preserving and auditable Digital Currency, Motion Detection and Local 
Decision Making, and Privacy-Preserving Statistical Analysis [2—5]. 

* rise of new decentralized schemes where no trusted setup is required, removing 
the single point of failure that plagues conventional encryption schemes. 


Just as Homomorphic Encryption, Functional Encryption protects data in use— 
as opposed to standard encryption that only protects data in transit or at rest —with 
the additional advantage that the computation performed by the cloud is trusted by 
design and requires less interaction with the clients since the server can directly 
recover partial information from the encrypted data. 
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11.3 Consequences for Switzerland 


A large share of Swiss businesses, such as the medical, banking, and insurance 
sectors, rely heavily on users' data, which is often confidential and sensitive. Besides 
solid privacy laws, these businesses can build trust with the consumers by using 
cryptographic tools such as Functional Encryption to build a product that is private 
by design. On the other hand, many data sets deemed too sensitive to share could 
be securely aggregated and put to practical use, for instance, medical data used for 
research. 


11.3.1 Implementation Possibilities: Make or Buy 


The fact that the Fentec project [2], whose sponsors include the Swiss company 
Kudelsky Security [6], is currently developing an open-source library for Functional 
Encryption makes a case for buy. As typical for cryptographic schemes, and 
especially for recent technologies such as Functional Encryption, it is riskier to 
develop a homemade solution than using a tried and tested implementation. Using 
existing technology implies a faster development of products and a solution that is 
less prone to bugs. 

On the other hand, making a scheme from scratch would avoid using a scheme 
that potentially has a (purposeful or accidental) trapdoor. It could also permit a 
tailored scheme for a particular application, improving performance. 

Overall the case for buying is more compelling than making because it would 
require significant efforts to build a security scheme that is on par with the existing 
open-source solutions. 


11.3.2 Variations and Recommendation 


Functional Encryption schemes come in many forms. First, the general purpose 
schemes that can handle arbitrarily complex functions and satisfy strong security 
notions are versatile tools but need more concrete efficiency. Second, another class 
of Functional Encryption schemes handles complex functions but only supports a 
somewhat limited security notion where keys only have a short life span (technically 
speaking, the attackers' capability of corrupting keys needs to be bounded and 
known in advance so that the security parameters can be scaled accordingly). These 
schemes may be well suited for applications that require performing sophisticated 
computation on the encrypted data and where the attackers’ capabilities are 
relatively limited in scope. 

Finally, the third type of Functional Encryption scheme focuses on smaller 
classes of simple functions, such as a weighted average on encrypted data. These 
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schemes are the most efficient, and the simple functions they handle are sufficient for 
applications such as private inference. In some applications, simplicity is beneficial 
since it allows the classifier to justify itself easily. For instance, if a bank refuses 
a loan based on data analysis from a client, it should be able to justify its choice 
and make sure the decision is fair (e.g., not based on discriminatory attributes). This 
is easier to do if the classifier is a simple function. There are a variety of schemes 
and underlying cryptographic assumptions available. The schemes based on elliptic 
curves enjoy the smallest ciphertext and key sizes. In contrast, the lattice-based 
options have the advantage of post-quantum security but are currently less efficient 
(especially size-wise) than their counterparts. 


11.4 Conclusion 


Functional encryption is to become an increasingly valuable tool in the context of 
growing concern for privacy and the ubiquitous use of data. Switzerland is involved 
in open-source projects such as Fentec sponsored in part by Kudelsky Security [6], 
which will facilitate the deployment of this technology for promising applications. 
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Chapter 12 A 
Identity-Based Cryptography ARA 


Bernhard Tellenbach 


12.1 Introduction 


In identity-based cryptosystems (IBC), identity is also the public key. This has two 
clear advantages over traditional public-key cryptosystems. First, certificates are 
not needed to bind the two independent information units, identity and public key. 
Second, key management is simplified because users can easily remember public 
keys for identities such as email addresses or domain names. There exists a wide 
variety of IBCs with widely differing properties and application domains. However, 
since most of them need a trusted third party that can derive the private keys of 
participants, those systems are not suitable for applications where this is a problem. 
This might contribute to the fact that, in practice, applications of IBC are still 
relatively rare, although there are various standards for IBC. Examples are ISO/IEC 
18033-5:2015, IEEE 1363.3-2013, or the MIKEY-SAKKE protocol for securing 
communication links, which is being actively pushed by the UK’s National Cyber 
Security Centre. In Switzerland, the use of technology in the public and private 
sectors, unlike research on it at universities, has yet to receive much attention. 
Changing this could lead to more effective solutions to several problems that it can 
address. 
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12.2 Analysis 


Asymmetric cryptosystems form the foundation for establishing a secure connection 
with another party, for example, also with those where no secure channel has existed 
at any time before. This is possible because, unlike with symmetric cryptosystems, 
no secret key material needs to be exchanged between the interacting parties 
beforehand. Instead, it is sufficient for the interacting parties to publish the public 
part of their key material, and for a trusted third party to confirm that this is indeed 
the public key of that party. 

The public part of a party’s key can then be used to encrypt data for that 
party or verify a digital signature created by that party with the private part of 
the key. Certificates are typically used for third-party confirmation. Certificates 
contain at least the identity (e.g., the email address), a party’s public key, and the 
digital signature of this association created by the trusted third party—also called 
Certification Authority (CA). Suppose the public keys of such CAs are already 
present on the parties’ systems, for example, because they were delivered with the 
operating system or browser or placed on the system by hand. In that case, the digital 
signature of the CA on the certificate can be verified. 


12.2.1 Definition 


In identity-based cryptosystems, the public key is also the identity. This has two 
clear advantages over traditional public-key cryptosystems: first, there is no need 
for certificates to bind the two independent information units, identity and public 
key, and second, key management is simplified because users can easily remember 
public keys, at least for identities such as email addresses or domain names. These 
two properties were the primary motivation of Adi Shamir when he introduced this 
type of cryptography in 1984 [1]. 


12.2.2 Trends 


In addition to the advantages already mentioned, identity-based cryptography 
(IBC)—at least in its simplest form—also has to contend with some challenges. 
These include, in particular, the fact that it requires a trusted third party that knows 
all the private keys of the identities as stated in the key escrow problem [2]. Other 
challenges are that no revocation of compromised keys is possible without changing 
the identity, and that the trusted third party poses a problem in terms of scalability, 
availability, and risk distribution. 

Solutions to these challenges are partially available, for example, Hierarchical 
Identity Based Encryption (HIBE) [3-6] can be used to distribute risk and load 
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across a system of hierarchical PKGs (private key generators). There are also 
proposed solutions for the key-escrow problem [7—9]. However, in many cases, 
these solutions still need to be well-tested or have limitations of their own. Finally, 
resistance to quantum computing is likely to be an issue since many of today's 
solutions are based on assumptions about difficult-to-solve problems on elliptic 
curves. Approaches that rely on believed-to-be quantum computing-resistant lattice- 
based cryptography have existed since 2008. However, these need to be prepared 
for practical use because of various open questions and factors such as too large 
public keys [10]. It is therefore expected that this technology will continue to be 
actively researched and improved in the coming years. Additional application areas 
and forms will be proposed and tested. 

In practice, applications of IBC are still relatively rare, although there are now 
various standards for IBC procedures and their application, e.g. ISO/IEC 18033- 
5:2015 or IEEE 1363.3-2013. Examples of products where IBC can already be used 
today are FortiMail from Fortinet or Voltage SecureMail Cloud. Another example 
where IBC is used is the MIKEY-SAKKE protocol for securing communication 
links, which is standardized in IETF RFCs 6507, 6508, and 6509 and is being 
actively pushed by the UK's National Cyber Security Centre (NCSC). While 
isolated solutions currently exist in individual companies and sectors, the use 
of MIKEY-SAKKE should later allow seamless cross-government and industry 
communication. This is why the NCSC only certifies secure Voice-Over-IP (VoIP) 
clients for official use by the UK government that supports this protocol. A good 
overview of the topic and possible application areas is provided by the ETSI 
Technical Report 103 719 from March 2022, which is also suitable for non- 
experts [11]. ETSI sees, in particular, government and enterprise applications, 
public safety and mission-critical applications, the Internet of Things, and Intelligent 
Transport Systems as promising application areas. 


12.3 Consequences for Switzerland 


Regarding knowledge and research, Switzerland is in a good spot with researchers 
at ETH Zurich, EPFL, IBM Rüschlikon, and other institutions that work on or have 
worked on identity-based cryptosystems. Switzerland should continue to invest in 
research in that domain, as it is an active research field with many open issues and 
room for improvement. In contrast to research, it seems that the technology did not 
get much attention in Switzerland's public and private sectors yet, despite being a 
viable solution for several application domains. Suppose this technology was better 
known among companies and individuals building solutions with cryptographic 
building blocks. In that case, the available range of solutions and the innovation 
potential could be better exploited. 
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Table 12.1 Implementation possibilities for different sectors. 
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Private Public 
Pros Cons Pros Cons 
Military Strategic — and/Cost and inter- Products might|Dependence on 
operational operability have been ana-|(proprietary) 
independence lyzed for their|solutions from 
security by dif-|actors not under 
ferent cryptog- your control 
raphers and re-|and Supply- 
searchers Chain risks 
Civil Society |Expertise  can|Cost and inter-|Cheaper, faster Dependence on 
be utilized operability in the  shortforeign actors 
in many ar- term, more and enterprises, 
eas, trust in trust in the long no Swiss finish 
Swiss-made so- term if large |(customiza- 
lutions and full user-base tions) and less 
transparency is transparency 
possible 
Economy Expertise can|Cost and inter-|Better time to|Less or no 
be utilized in|operability market, more flexibility if 
many areas, trust in the long custom features 
business oppor- term (if larger|and extensions 
tunities user-base) are needed to 
innovate 


12.3.1 Implementation Possibilities: Make or Buy 


This section presents the pros and cons of buying or making identity-based 
cryptography solutions (Table 12.1). 


12.3.2 Variations and Recommendation 


Many identity-based cryptosystems with widely differing properties and application 
domains exist. We can name the closed IBE cryptosystem, the open IBE cryptosys- 
tem, or the Intelligent Transport System. Therefore, it is out of this study's scope 
to discuss the different variations of such systems. We refer the reader to ETSI’s 
technical report [12] as a good starting point for a general discussion. For the same 
reason, it is also difficult to give any recommendation other than that IBC should not 
be used whenever the existence of a trusted third party that knows the private keys is 
considered a problem, as this property is needed for the functioning of the system. 
Unless one uses research-grade IBC that at least partially addresses this issue. For 
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other recommendations, [12] contains some and serves as a starting point for more 
in-depth investigation. 


12.4 Conclusion 


Identity-based encryption systems are characterized by the fact that the public key 
is easy to remember, and the implementations skip the step of linking the public key 
to a specific identity. However, they also have some disadvantages. In particular, 
the trust that must be placed in the trusted third party is significantly higher than in 
traditional public key systems. 

Whether these and other potentially disadvantageous properties, such as the lack 
of well-tested quantum-safe solutions, are relevant depends on the specific use 
case. Moreover, the lively research activity in the field can potentially mitigate or 
eliminate undesirable properties. 
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Chapter 13 A) 
Multi-Party Threshold Cryptography gag 


Christian Cachin 


13.1 Introduction 


Multi-party threshold cryptography (MPC) is a type of cryptography that enables 
secure computations to be performed jointly by multiple parties. It allows multiple 
parties to collaborate and perform sensitive operations such as decryption or signing 
without revealing their private keys. Threshold cryptography (TC) uses secret 
sharing to split secret information into pieces and distribute them among several 
parties. To perform a computation, a threshold of the parties must come together and 
combine their shares, creating a new piece of information. The minimum number of 
parties needed to perform the computation is called the threshold, which can be set 
in advance. TC can be used to protect privacy in cloud computing, secure financial 
transactions, and other sensitive applications where multiple parties are involved. 
It ensures that the secret information remains secure even if some of the parties 
involved are compromised, as long as the threshold is not reached. 


13.2 Analysis 


13.2.1 Definition 


Cryptographic techniques, such as public-key encryption and digital signatures, are 
ubiquitous in today’s security infrastructures. However, recent years have seen a 
move towards building resilient distributed systems (such as blockchains [1]), which 
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gain security by drawing on replication and redundancy and rely on multiple parties 
to operate. Threshold cryptography is the technology that lets such systems execute 
cryptographic operations. As no single party must store any secret material (such as 
the private key) because the party may leak when it is corrupted, the cryptographic 
operations must also be distributed. 

In a threshold cryptosystem, the private key is typically distributed among the N 
parties that constitute the system using cryptographically secure secret sharing. Up 
to F of the parties might be faulty and leak their key shares, but F+1 must cooperate 
in executing a cryptographic operation. From the outside, the cryptographic result 
(such as the digital signature or the decryption of a ciphertext) is the same as if 
the operation had been executed on a single party. It is crucial that the operation 
reveals nothing about the private key to the faulty parties and that it is robust. 
That is, it cannot be disrupted by faulty parties that may act maliciously. Threshold 
cryptosystems require at least N > 2 x F, which means that any minority of the 
parties could become corrupted. 

Threshold cryptosystems have been developed for most public-key cryptosys- 
tems in use today. This includes digital signatures (RSA, DSA, ECDSA, BLS, 
and more), encryption (RSA, variants of ElGamal encryption, including pairing- 
based ones.), and coin-tossing for producing unbiased randomness. However, 
the efficiency of implementations differs widely depending on the mathematical 
structure of the underlying cryptosystem; for example, threshold implementations 
of BLS-based schemes are easy to build and relatively efficient, but the operations 
of DSA and ECDSA are challenging to distribute. 

Particular focus must be placed on generating the private key held jointly by the 
parties. The simplest method would be to generate the key material on a single node, 
but this introduces more centralization than is generally accepted. The reason is that 
this node itself could become corrupted, contradicting the motto that no single party 
can be trusted. Protocols for distributed key generation (DKG) have therefore been 
developed. However, they are often more complex than the standard operation of the 
public-key schemes, and they require integration with a distributed communication 
platform. 

Notably, threshold cryptosystems differ widely according to their needs for 
interaction among the parties. The most efficient schemes are non-interactive: when 
producing a digital signature, every party generates a "share" of such a signature 
and disseminates it. Upon receiving F + 1 such shares, every party can obtain 
the digital signature. Many other schemes, however, require multiple rounds of 
interaction among the parties and some steps in which they reach a consensus on 
which parties have been potentially faulty during the key-generation process. These 
are more difficult to implement and are not widely available or deployed today. A 
typical example from the latter category is DKG protocols: they require more than 
one rounds of communication and some "agreement" on which parties terminated 
the protocol correctly. 
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13.2.2 Trends 


Threshold cryptosystems have been explored in the cryptographic literature and 
prototype systems exist for a long time, starting around 1990 [2]. However, they 
have only seen industrial applications in the last 10 years. This trend has resulted 
from the appeal of blockchain platforms, which have demonstrated the advantage of 
building secure, resilient systems from multiple and less trustworthy components. 
As a result, the system remains intact even if some components fail or become 
corrupted. 

Most practical blockchain networks today do not support threshold cryptography 
for applications nor exploit it internally, although several have proposed using 
the technology. A notable exception is perhaps the Internet Computer (built by 
DFINITY, [3]), which uses threshold-cryptography schemes at its core. The reasons 
for this are manifold: Lack of cryptographic expertise among developers, no 
standards, and the complexity of implementations. 

Nevertheless, the trend toward implementing and deploying threshold cryptosys- 
tems is clear and will accelerate. Most practical secure distributed platforms will 
be enhanced with this capability. Furthermore, several standardization efforts are 
underway: NIST in the United States has initiated an effort to standardize multi- 
party threshold cryptography [4], which is currently underway. The IETF/IRTF, 
through their Crypto Forum Research Group (CFRG), is also pushing the develop- 
ment and standardization of specific threshold cryptosystems for use on the Internet. 

Most efforts until 2025 will come from the “blockchain ecosystem", producing 
implementations that are available as open source. As a result, one may expect 
multiple libraries for specific platforms and generic services to become available. 

The NIST effort has yet to gain much momentum. As a result, NIST is likely to 
focus on standardization first. Nevertheless, the field offers considerable complexity, 
ranging from data formats over protocol interactions to security aspects, like 
cryptographic parameters. This makes it unlikely that the effort will lead to concrete 
standards and widely available implementations until 2025. Nevertheless, over a 
longer time, this is likely to happen. 


13.3 Consequences for Switzerland 


13.3.1 Implementation Possibilities: Make or Buy 


Cryptographic algorithms must be standardized globally, and their security needs 
broad public analysis. These processes are typically multi-year efforts driven by 
governmental or private-sector standardization agencies. The key players of the 
IT industry are often represented or participating actively in this development. 
Other active drivers are startups and smaller companies with deep expertise in the 
algorithms and their implementation that place a bet on the technology itself. 
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It is therefore expected that standards for threshold cryptography and the 
corresponding open-source implementations will also emerge without concrete 
steps taken by the Swiss government. Instead, cryptographic libraries suitable for 
standardized wide deployment will become available from public and commercial 
sources. To obtain the expertise necessary to autonomously build applications that 
rely on threshold cryptography and exploit it, investment and education will be 
needed. Switzerland is positioned well in this space since multiple universities 
(ETHZ, EPFL, University of Bern) and many private companies, especially in the 
blockchain environment, have deep expertise in the domain. 


13.3.2 Variations and Recommendation 


Like blockchain platforms, threshold cryptosystems realize secure applications from 
partially untrusted components. They exist in many forms, such the suitability for 
every concrete deployment has to be analyzed in detail. However, if used in a 
matching application scenario, they greatly enhance the security and resilience of 
the application. 

Itis recommended that Switzerland closely watches the development of threshold 
cryptography and invests moderately in it. In this sense, the technology seems 
related to post-quantum cryptography and its positioning; this is another area of 
active worldwide technology development in cryptography research. Switzerland is 
one of many active players in this field, but the technology still needs to be mature 
for industrial deployment, which merits a direct commercial investment. 


13.4 Conclusion 


For building secure distributed systems that can survive a partial corruption of their 
components, multi-party threshold cryptography plays an important role. It is related 
to secure multi-party computation because both use the same trust model, also 
found in many blockchain platforms. However, MPC systems are more general than 
threshold cryptosystems and may compute arbitrary functions, whereas threshold 
cryptosystems are limited to operations with cryptographic keys. In addition, MPC 
protocols are several orders of magnitude less efficient than the typical threshold 
cryptosystems. Therefore, threshold cryptosystems are expected to be deployed 
earlier than MPC-based systems. 
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Chapter 14 A 
Searchable Symmetric Encryption gag 


Cyrill Krähenbühl and Adrian Perrig 


14.1 Introduction 


Searchable symmetric encryption (SSE) allows operating on encrypted data, in 
particular keyword- based search on documents and range-based search on spatial 
data. Various methods can be used in SSE, such as order-preserving encryption 
or fully homomorphic encryption for different levels of information leakage. New 
schemes with more efficient search operation and reduced access and search pattern 
leakage that support novel settings, such as dynamic data sets and multiple users, 
have been proposed in the last few years. Especially with the emergence of cloud 
storage, encrypting sensitive remote data while preserving the ability to efficiently 
operate on it is an ample opportunity for the military and industry. However, 
there are risks when deploying SSE that must be taken into account since some 
SSE schemes proposed in the past have been (completely) broken by the research 
community. 


14.2 Analysis 


14.2.1 Definition 


In the searchable symmetric encryption (SSE) setting, there is a collection of files 
where keywords are associated with each file. A user searches for all files in the 
collection associated with a specific keyword. Neither the content of files nor the 
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associated keywords should be revealed to an unauthorized entity. To achieve this, 
files and keywords are encrypted, and only users with the respective keys can search 
the collection and decrypt files. Depending on the SSE protocol, files can be added 
and removed (dynamic), files can be added but not removed (semi-dynamic), or all 
files must be present when the system is set up and cannot change over time (static). 

SSE should not be confused with Public Key Encryption with Keyword Search 
(PEKS), a related technique that allows holders of a public key to add encrypted 
files to the collection and the private key holder to search for and decrypt files. 

The security of an SSE protocol is defined by its privacy leakage, i.e., how much 
information is leaked in addition to necessarily leaked information such as the file 
Sizes, access patterns, and search patterns under different attacker models (adaptive 
and non-adaptive attackers) [1]. 

Fully homomorphic encryption (FHE) is another cryptographic primitive to 
operate on encrypted data without revealing the results. Although FHE can provide 
stronger privacy guarantees than SSE, it is computationally more expensive and 
requires data in homogeneous form, while SSE can operate on any heterogeneous 
data. 

There are several variations on the SSE model. For example, some SSEs consider 
searches for data ranges instead of searches for specific keywords. Such SSEs are 
useful for outsourcing encrypted spatial data, e.g., collecting location-indexed data. 
However, early constructs, such as order preserving encryption [2], are vulnerable 
to database reconstruction attacks [3]. 

Traditional SSEs operate in a single-user setting, but some SSE also considers a 
multi-user setting, where users can be added and removed, which brings additional 
challenges, such as colluding users. 


14.2.2 Trends 


There is a long history of research on SSE, starting with early work in 2000 by Song 
et al. [4]. Over the last 20 years, SSEs have improved functionality, security, and 
efficiency. First, the functionality of SSE schemes was improved, e.g., by allowing 
modifications to the dictionaries [5]. The attacker model was extended to provide 
forward privacy (previous search queries cannot be associated with future updates) 
and backward privacy (search queries cannot be associated with deleted documents). 
Finally, SSE schemes become increasingly efficient (e.g., Aura [6], which has a sub- 
millisecond index insertion time and a sub-microsecond deletion time). State-of- 
the-art SSE schemes have become practical to be used in real-world settings while 
providing strong security properties [6, 7]. 

With the emergence of cloud-based services and storage, parties in various 
sectors have decided to move their data to cloud storage, significantly reducing 
operational costs. In most cases, the cloud infrastructure is not hosted by the party 
but by an independent provider. In such cases, it is often preferential or even required 
by law or policy to only store encrypted data in the cloud. Unfortunately, storing 
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encrypted data makes searching the database impossible for the provider that does 
not possess the decryption keys. SSE allows parties to combine the benefits of 
encrypted cloud storage while retaining the ability to search this data. Since the 
trend of increasingly using cloud storage is not expected to slow down in the near 
future, efficient SSE approaches are likely to be increasingly used. 

However, it is essential to note that correctly designing and implementing SSE is 
difficult. Many proposed systems have become insecure as they leak access patterns 
or even allow reconstructing the complete database [8, 9]. The risk of storing 
sensitive data on remote storage using SSE must thus be carefully evaluated case- 
by-case. 


14.3 Consequences for Switzerland 


There is ample opportunity to move more sensitive data to the cloud to reduce 
hardware and management costs and facilitate information sharing. At the same 
time, privacy regulations or company-specific policies that require sensitive data to 
be encrypted fuel the need for SSE. 


14.3.1 Implementation Possibilities: Make or Buy 


For the military, public cloud solutions are likely not up to their standard in terms of 
security and reliability. However, the military must collaborate with foreign armed 
forces, police forces, or between different divisions. Therefore, custom-built SSE 
solutions running on trustworthy cloud infrastructures could be attractive, especially 
for sharing data within Switzerland. Furthermore, a solution offered by a trustworthy 
international source could also be an exciting option for collaboration with foreign 
entities. 

For the civil society and economy sector, custom-built solutions may be pro- 
hibitive in terms of cost and complicate collaboration with other entities. Public 
cloud SSE solutions are also attractive due to their low cost and simple management. 
A straightforward use case for SSE in civil society is storing privacy-sensitive 
healthcare data on a public cloud for collaboration between health insurance 
providers, hospitals, and clinics (Table 14.1). 


14.3.2 Variations and Recommendation 


There is typically a trade-off between the low cost, straightforward management, 
and ease of collaboration of (public) cloud-based SSE solutions and the stronger 
security guarantees of self-hosted storage (which can be further improved through 


74 


C. Kráhenbühl and A. Perrig 


Table 14.1 Implementation possibilities for different sectors 


Make Buy 

Pros Cons Pros Cons 

Military Custom . solu-|None Use SSE tech-|risk of tam- 
tions could pro- nology from |pered software 
vide stronger trusted sources|introducing 
assurances for for sharing backdoors 
storing highly data with other 
sensitive data armed forces 

Civil Society |Create | Swiss-|Costs Useful for shar- Potential legal 
wide solution ing data  be-|hurdles if pro- 
for specific tween a larger|prietary code is 
sectors, Le., number of col-jused for sensi- 
health care laborating enti- tive citizen data 

ties 

Economy For large com-|Costs Can use exist-|None 
panies relying ing service of- 
on cloud stor- fered by cloud 
age, a custom providers 
approach can 
enhance the pri- 
vacy of cloud 
data 


SSE). In general, which type of SSE should be used depends on the application (e.g., 
keyword search or geometric range search on spatial data), the efficiency, and the 
security requirements. 


14.4 Conclusion 


SSE provides the necessary tools to ensure privacy for the transitions of different 
sectors from local storage to cloud-based remote storage. The benefits of cloud- 
based services have been shown over the last decade for virtually all sectors. 
Moreover, this trend of moving data to the cloud does not show any signs of slowing 
down, making efficient and secure SSE solutions a vital tool for Switzerland in the 
coming years. However, the secure usage of SSE approaches is very challenging; 
thus, data security needs to be carefully assessed, especially in the case of highly 
sensitive information. 
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Chapter 15 A 
Digital Signature ers 


Weyde Lin 


15.1 Introduction 


The chapter “Digital Signature" covers the use of cryptographic methods and 
asymmetric cryptography to sign data and provide origin authentication, data 
integrity, and signer non-repudiation. The signing process involves generating a 
hash of the data using a cryptographic hashing function, encrypting the hash with the 
signing party's private key, and sending the data and encrypted hash to the verifying 
party. The verifying party can determine the validity of the signature by generating a 
hash of the data and comparing it to the decrypted hash. The digital signature market 
is expected to grow by around 30% annually over the next few years, with a focus on 
reducing friction for users and ensuring security. In Switzerland, organizations can 
either make their digital signature solution for internal use or buy a solution from 
established companies offering digital signature services. 


15.2 Analysis 


A digital signature uses cryptographic hashing functions and asymmetric cryptog- 
raphy to sign data. It also provides origin authentication (attribution to a particular 
individual), data integrity (proof that data has not been tampered with in transit or 
otherwise), and signer non-repudiation (signers cannot deny that they signed data). It 
is possible to apply a digital signature to any data, including emails, contracts (e.g., 
in PDF format), and messages. A qualified electronic signature (QES) is based on a 
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digital signature. In many legislative frameworks, a QES is the digital equivalent of 
a handwritten signature. 


15.2.1 Definition 


Figure 15.1 illustrates the signing and verifying of a digital signature. To digitally 
sign data, two cryptography functions are used [1, 2]. The first step is to generate 
a hash (fingerprint) of the data using a cryptographic hashing function (see Hash 
Functions in Chap. 5). The hash is then encrypted by the signing party using its 
private key. This encrypted hash is the data's digital signature. Finally, the data 
and the signature are sent to the verifying party as separate files in a container 
or embedded in the data (e.g., signed PDF). As part of the verification process, 
the verifying party generates the hash of the data using the same cryptographic 
hashing function. Additionally, the verifying party decrypts the signature using the 
signing party's public key, resulting in a decrypted hash that the signer can only 
generate. The verifying party can determine whether the digital signature is valid 
by comparing the decrypted hash with the calculated hash [3]. When a public key 
is used with a public key certificate (1.e., a certificate that confirms the validity of a 
public key and contains information about the key owner), it can be identified who 
signed the document, or it can be proved that it was signed by a specific individual 
(see Public Key Infrastructure in Chap. 10). 
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Fig. 15.1 Schematic depiction of digital data signing and verifying process 
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15.2.2. Trends 


With the increasing digitalization of business processes and other processes in 
general, the ability to apply and verify digital signatures will become increasingly 
important: the digital signature market size is expected to grow by approximately 
30% annually over the next few years [4]. However, it is essential to note that 
although the EU and Switzerland both have laws regarding qualified electronic 
signatures (QES), and they are technically compatible, the issue of mutual legal 
recognition still needs to be fully resolved [5]. 

Through the use of digital signatures, current paper-based processes will not 
only be replaced, but they will also be improved, e.g, through audit trails (i.e., 
tracking documents from beginning to end by digitally signing each process step 
and saving them alongside the document, ensuring document integrity at each stage 
and providing legal protection as admissibility in court). For digital and electronic 
signatures to reach widespread adoption, it is necessary to reduce the friction for the 
user, for example, by making it possible to generate signatures on mobile devices. 
The wide acceptance of the digital signature also requires it to be secure. Digital 
signatures, however, are only as secure as the cryptographical methods (e.g., hash 
functions) they are based upon. As computation power increases and quantum 
computing becomes feasible, attacks on underlying cryptographic methods become 
more effective [6], thereby endangering the security of digital signatures as well (see 
Post-Quantum Cryptography in Chap. 10). 


15.3 Consequences for Switzerland 


15.3.1 Implementation Possibilities: Make or Buy 


Make: It is important to note that a digital signature is only helpful if all parties 
use the same standard. As a result, making your digital signature products is only 
suitable for internal use within an organization which is rarely the case—as such, 
creating your solution for signing data allows you to control all aspects of the 
signing process. Military applications may benefit from this technology. 

Buy: Many other use cases, especially those in which data is shared with third 
parties, could benefit from buying from one of the established companies offering 
digital signature services (e.g., DocuSign, Connective, Adobe Sign, One Span, 
Evidos, Signicat, Signing Hub, Cryptomathic) or electronic signatures (accred- 
ited by ZertES (Federal law on electronic signatures): Swisscom (Schweiz) AG, 
QuoVadis Trustlink Schweiz AG, SwissSign AG, Bundesamt für Informatik und 
Telekommunikation BIT [7]). Furthermore, in civil society and the economy, 
purchasing commercial off-the-shelf (COTS) products from accredited companies 
is beneficial since they are already certified, meet the legal framework, and should 
be compatible with other products. 
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15.3.1.1 Distinction from Electronic Signature 


Electronic signatures are sometimes used as synonyms for digital signatures [8]. 
Despite this, in many legislations (e.g., eIDAS in the European Union or ZertES in 
Switzerland), the term electronic signature (or e-signature) has a particular meaning. 
It refers to signing data with the same legal status as a handwritten signature. 
Electronic signatures are often based on a digital signature. In the EU (eIDAS 
Regulation [9]) and Switzerland (ZertES [10] and VzertES [11]), this is codified 
in the law. Electronic signatures can be classified into the following types: 


* Qualified electronic signature (QES): QESs is recognized as equivalent to 
handwritten signatures in Switzerland and the European Union. A QES is based 
on a digital signature and can be used for documents that require a legal form 
(e.g., employment contracts) 

* Advanced electronic signature (AES): An advanced electronic signature is also 
based on a digital signature but does not provide liability protection. It defines 
specific technical requirements for electronic signatures and allows for the 
signer’s identification. AES can be used for documents that do not require a legal 
form (e.g., rental agreement) 

* Basic electronic signature: A handwritten or scanned signature can be used, as 
well as a signature recorded with a stylus on a tablet. There is no legal or technical 
requirement for this type of signature. 


Everything regarding the usage of the electronic signature can be found in the 
Federal Act on certification services in the field of electronic signatures and other 
applications of digital certificates [12]. 


15.3.1.2 Code Signing 


A particular case of the digital signature is code signing, which entails digitally 
signing executables and scripts. By doing so, it is possible to verify the code’s author 
and ensure that it has not been altered or compromised since it was signed. 


15.4 Conclusion 


As (business) processes become more digitalized, digital and qualified electronic 
signatures will play an increasingly important role. As part of these processes, 
verifying the authorship of some data and whether the data was altered during 
transport will be necessary. However, a digital signature is only as secure as the 
cryptographic mechanism underlying it (e.g., hash functions, public key encryp- 
tion), so the developments in those fields must be studied and adapted for use in 
digital signatures. 
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Chapter 16 A) 
Hardware Security Module ARA 


Maria Sommerhalder 


16.1 Introduction 


This chapter provides an analysis of hardware security modules (HSMs). HSMs 
are specialized devices that perform cryptographic operations and store private- 
public key pairs and their associated secret values. They are widely used in various 
industries, such as banking, insurance, digital identity, and blockchain, to secure 
data. The chapter begins with defining HSMs and explaining their function and use 
in the cryptographic process. It also discusses trends in the use of HSMs until 2025, 
including the rise of cloud computing, double-key encryption, and the increasing 
demand for HSMs in the banking, financial services, and insurance industries. The 
chapter concludes by mentioning some of the key players in the global HSM market. 


16.2 Analysis 


Various industries use hardware security modules (HSMs) to secure data, including 
banking, insurance, digital identity, and blockchain applications. Their functions 
include key generation, key management, encryption, decryption, and hashing. 


M. Sommerhalder (54) 
Eraneos Switzerland AG, Zurich, Switzerland 
e-mail: Maria.Sommerhalder G eraneos.ch 


© The Author(s) 2023 83 
V. Mulder et al. (eds.), Trends in Data Protection and Encryption Technologies, 
https://doi.org/10.1007/978-3-031-33386-6 16 


84 M. Sommerhalder 
16.2.1 Definition 


A vital component of the cryptographic process is collecting and storing private- 
public key pairs and their associated secret values. HSMs are typically used in 
critical infrastructure such as payment solutions, encryption systems on the Internet, 
and certificate management systems [1]. HSMs are specialized devices used to 
conduct cryptographic operations and use a random number source to generate 
public-private key pairs and subsequently store them. Most HSM systems are 
designed to store information on the device itself. However, some systems can 
back up secret values outside the HSM perimeter, such as on USB storage devices, 
hard disks, smart cards, or other digital media [2]. In addition to providing logical 
protection for keys, HSMs also provide physical protection. For example, some 
devices are equipped with tamper-proofing features such as logging and alerting 
mechanisms and more intrusive features such as wiping the entire contents when 
tampering is detected, making it inoperable [3]. In addition, HSMs have the 
advantage of isolating cryptographic processes from other operations, resulting in 
more efficient processing and additional security [3]. 


16.2.2 Trends 


For over 20 years, HSMs have been used to protect cryptographic material in 
multiple applications [4]. However, a Ponemon Institute survey of 580 IT and 
security practitioners worldwide (55% from organizations with 1000 or more 
employees) found that HSMs are primarily used for key management or payment. A 
survey made in 2014 found that Organizations typically utilize 13 modules for key 
management, followed by eight for payment purposes [5]. 

The advent of cloud computing has increased the complexity of securing critical 
data. Data is now stored in the cloud: the percentage of corporate data stored in 
the cloud in organizations worldwide has doubled from 3046 in 2015 to 6096 by 
2022 [6]. Many companies are concerned that their data will be unprotected from 
unauthorized access by the cloud provider or the US government in case of a 
subpoena, as most of the renowned cloud providers operate from the United States. 
As a result, double-key encryption has become increasingly popular, which encrypts 
data using two keys. A copy is stored on an HSM, and a copy is stored in the cloud. 
Before storing the data in the cloud, the owner of the data or the HSM vendor 
encrypts it so that the cloud provider cannot decrypt it. Parties can only access the 
data with both keys [7]. The use of double key encryption is widespread in highly 
regulated industries such as banking, health, and the public sector to comply with 
privacy and data protection laws [7]. 

Global payment markets are expanding, resulting in a higher demand for HSM 
machines to secure payment-related cryptographic operations. Many other factors 
are driving the growth of the HSM market, including the rise of cybersecurity 
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threats and the need for confidentiality in the banking, financial services, and 
insurance industries [8]. There is also an increase in demand for HSMs from other 
sources, such as the automotive industry, where they are used to enable secure 
communication, verify and authenticate software updates [9]. 

Several key players in the global HSM market include Gemalto, Inc., IBM 
Corporation, Ultra Electronics Group Holdings, Utimaco GmbH, Futurex L.P., 
Thales e-Security, Inc., Hewlett Packard Enterprise Development L.P., SWIFT C.S., 
and Yubico, Inc. [8]. 

In EPFL’s School of Computer and Communication Sciences, there is a research 
domain entitled “Security and Privacy", which publishes papers on the topic [10]. 
The area of research involving the development of post-quantum hardware security 
modules is also present. The possibility of seeing some of them be available 
shortly, combined with embedded hardware accelerators, see Chap. 20 [11]. The 
area of combining Iot devices and Hardware Security modules is also explored. For 
example, the HSM can achieve the integrity of the key injection [12]. 


16.3 Consequences for Switzerland 


Due to the political stability and the availability of skilled labor, a specialist 
ecosystem has developed in Switzerland, with many HSM providers having branch 
offices here and Swiss providers establishing themselves on the international stage. 
The Swiss branch of Securosys SA and the Swiss branch of Thales Suisse SA are 
examples of this. 


16.3.1 Maturity 


Due to the maturity of the HSM market, it is possible to find machines suitable for 
a wide range of applications. However, HSMs should be purchased from reputable 
vendors, preferably ones that have already been certified (see below). 


16.3.2. Recommendation and Options 


Three recommendations are presented in this section regarding the use of HSMs. 


e Geo-redundant setup and Clustering 
HSMs must be stored in secure data centers, but even then, hardware failures, 
natural disasters, or human error can destroy an HSM. This would result in the 
irreversible loss of all key material. Typically, a company has two to three devices 
with the same build and data (i.e., replicated) located geographically. Therefore, 
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there must be operational failover procedures (switching operations to a backup 
recovery facility in case of primary system failure) between these devices [4]. 
* Key ceremony auditability 

Companies in regulated industries may be required to audit the generation of 
asymmetric key material [13]. The auditor must be able to obtain evidence of the 
entire process, including the hardware used, as well as verify the location and 
ownership of all key components during key generation and management. As 
a result, additional policies regarding access and change management must be 
prepared, as well as documents relating to the transport, storage, and management 
of keys, tokens, smart cards, and any related hardware. In light of the number of 
steps that could potentially compromise the private key, it is essential to have a 
solid runbook. The runbook describes the step-by-step process and the roles of all 
personnel involved in key generation. This ensures that auditors and all involved 
parties understand the process and serves as an audit trail [13]. 

* HSM Security Certification 

Generally, HSMs are certified following internationally recognized standards, 
such as FIPS-PUB 140-2 [3], 140-3 [14], or Common Criteria (CC) [15]. In 
addition, four security levels are defined by the FIPS certification [16]. An HSM 
certificate is issued only for the HSM device itself. It does not automatically 
guarantee secure keys since the operation of a key management system is equally 
critical to security. Regardless of certification, a system must address the single 
point of failure problem. It is a legal and compliance requirement that custodial 
services in the financial sector must be enforced to implement governance and 
policy regulation throughout the entire key lifecycle. 


16.4 Conclusion 


HSMs provide adequate cryptographic key protection throughout their lifecycles 
by enabling the secure generation of keys within an isolated hardware environment 
without revealing their identity. Furthermore, as HSMs can manage keys and enable 
users to manage Keys, they provide significant security benefits to applications 
utilizing cryptography. 
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Chapter 17 A 
Secure Multi-Party Computation gag 


Louis-Henri Merino and José Cabrero-Holgueras 


17.1 Introduction 


Secure Multi-Party Computation enables a group of parties to compute a function 
while jointly keeping their private inputs secret. The chapter discusses the definition 
of secure multi-party computation, its benefits and drawbacks, and its potential 
applications. It also discuss the trends in the field until 2025 and the challenges 
that need to be addressed for widespread adoption. Finally, the implementation 
possibilities for secure multi-party computation in Switzerland and the different 
deployment variations are discussed. The author provides recommendations for 
different markets and the need to consider deployment options. 


17.2 Analysis 


17.2.1 Definition 


Secure Multi-Party Computation (MPC) enables a group of m mutually distrusting 
parties to jointly compute the outputs of a function f (x1, x2, ..., Xm) where x; is 
the ith party’s private inputs without disclosing their private inputs [1]. The term 
“secure” indicates the latter property where the private inputs used for computation 
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are kept secret from all other parties. Some MPC protocols allow for auditable 
computation allowing any party, including a party who did not participate in the 
computation, to verify the correctness of the result [2, 3]. 

A significant benefit of using MPC is that many of the constructed MPC protocols 
are information-theoretically secure, avoiding many of the problems involved with 
using cryptographic hardness assumptions. However, using MPC comes at the cost 
of performance (several orders of magnitudes slower), primarily due to MPC's high 
bandwidth requirements. Nonetheless, specialized MPC protocols can significantly 
enhance performance compared to generic MPC protocols; one prominent example 
is private set intersection [4]. A drawback of information-theoretic MPC protocols in 
comparison to MPC protocols that rely on hardness assumptions that their security 
guarantees are violated in the presence of a dishonest majority [5]. 

One particular case of multi-party computation is private set intersection (PSI). 
In this case, each party has a set of items, and the goal is to learn the intersection of 
those sets while revealing nothing else about those sets [6]. 


17.2.2 Trends 


Virtually all organizations could see benefits from utilizing MPC as it enables 
mutually distrustful parties to cooperatively compute the output of a function that 
they all agree on without revealing their input. These parties may be distinct. (e.g., 
different healthcare providers aiming to collaborate to improve patient care but do 
not want to disclose patient data) or the same (e.g., an organization aiming to protect 
sensitive information by splitting this information across its multiple data centers, 
where each data center is a party to the MPC protocol). 

Some notable MPC use cases are secure auctions [7], privacy-preserving network 
security monitoring [8], spam filtering on encrypted emails [9] and secure machine 
learning [10]. Another notable MPC application is distributed authentication where 
MPC can strengthen an organization's key server by splitting the critical server's 
functionalities across multiple servers; an adversary capable of compromising one 
or a threshold of critical servers will not be able to reconstruct the organizations' 
keys. Please refer to Chap. 13 for additional information on multi-party threshold 
systems. Unfortunately, factors such as a steep learning curve, unfamiliar math- 
ematical notions, and a rapidly growing and evolving environment prevent easy 
exploitation of the technology by programmers and end users. To reach a widespread 
adoption of MPC, these issues must be addressed [11]. Application Programming 
interfaces (APIs) for secure multiparty computations are a promising technology to 
overcome these challenges. Another one are compilers. 
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17.3 Consequences for Switzerland 
17.3.1 Implementation Possibilities: Make or Buy 


An MPC solution consists of two major disciplines (distributed systems & cryp- 
tography), each with its challenges and it would thus require extensive efforts to 
design and implement a homemade MPC solution. The author then recommends 
purchasing an existing MPC solution for all markets (military, civil society, and 
economy) Nevertheless, he recommends different deployments as discussed in 
Sect. 17.3.2. 


17.3.2 Variations and Recommendation 


There are three MPC deployment variations: on-premise, hybrid, and cloud. For the 
military and maybe for civil society, the preferable setup is on-premise to prevent 
distributing private inputs to the software provider. To achieve the promises of 
MPC, an on-premise setup should require two or more independent data centers 
where each data center is considered a party to the MPC protocol. For civil society 
and the economy, the likely preferable option is a hybrid setup where the client's 
IT infrastructure and the software provider's IT infrastructure are each a party to 
the MPC protocol. The bandwidth between these two parties could be significant 
but may save the client from compartmentalizing their IT infrastructure. Cloud 
deployment allows for the complete outsourcing of the MPC solution where it is 
operated only on the software provider's IT infrastructure. This cloud deployment 
is likely the least expensive option. 


17.4 Conclusion 


In conclusion, MPC enables a group of mutually distrusting parties to compute an 
agreed-upon function using their own private inputs without revealing their private 
inputs to other parties. MPC can be used to secure and enable privacy-preserving 
applications from privacy-preserving network security to secure machine learning. 
Given the complexity of designing and implementing MPC protocols, enlisting an 
MPC provider is preferable, but clients should have flexibility over the type of MPC 
deployment: on-premise, hybrid, and cloud. 
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Part III 
High-Level Applications 


Chapter 18 A) 
Trusted Execution Environment EEN 


Maria Sommerhalder 


18.1 Introduction 


Trusted Execution Environments (TEEs) are secure areas of central processors or 
devices that execute code with higher security than the rest of the device. They 
provide confidentiality and integrity for sensitive data in all its states. TEEs are 
similar to hardware security modules but are a component of the typical chipset 
rather than a separate dedicated device. Moreover, TEEs aim to provide verifiable 
launch, run-time isolation, trusted input/output, and secure storage for TEE data. 
TEEs are widely used in mobile phones, cloud computing environments, and 
other embedded hardware platforms. Using TEEs in cloud environments enables 
companies to securely migrate sensitive data to the cloud. The regulation of TEEs 
will play an essential role in driving companies to adopt cloud computing, especially 
in highly regulated industries such as healthcare and banking. 


18.2 Analysis 


Trusted execution environments (TEEs) ensure the confidentiality and integrity of 
highly sensitive data in all its states (i.e., at rest, in transit, and use). Using TEE 
on-premises, in the cloud, or within embedded hardware platforms is possible. For 
example, smartphones and Internet of Things (IoT) devices used in automotive and 
healthcare applications often incorporate TEEs [1]. 
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Remote Attestation is used to authenticate the device and the executed applications. The Trusted 
Application Manager is used to install applications, which can then be consumed in the TEE 


18.2.1 Definition 


TEEs are areas on a central processor or device that execute code with higher levels 
of security than the rest of the device. Security is provided by encrypted memory 
regions called enclaves. Because the environment is isolated from the rest of the 
device, it is not affected by infection or compromise of the device. The code or 
applications that run on the TEE are referred to as trusted applications (TAs) [2] 
(see Fig. 18.1). 

In principle, TEEs are similar to hardware security modules (HSMs), which are 
dedicated devices that allow the creation of keys protected by hardware and perform 
everyday cryptographic operations such as encryption, decryption, and signing. It is 
a separate module that is connected to the main CPU and motherboard via a PCI bus 
or a network [3] (see HSM in Chap. 16). On the other hand, the TEE is a component 
of the typical chipset and does not require any additional hardware. 

TEEs often vary in terms of their exact security goals. However, most of them 
aim to provide four high-level security protections. The first one is the verifiable 
launch of the execution environment for the sensitive code and data so that a remote 
entity can assure that it was set up correctly. The second is the run-time isolation to 
protect the confidentiality and integrity of sensitive code and data. The third is the 
trusted IO to enable secure access to peripherals and accelerators. The fourth one is 
the secure storage for TEE data that must be stored persistently and made available 
only to authorized entities at a later time [4]. 
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18.2.2 Trends 
18.2.2.1 Application on Mobile Phones 


The mobile phone is capable of downloading and using a wide variety of appli- 
cations. As a result of this increased complexity of code bases running on mobile 
operating systems, vulnerabilities and compromises are more likely to be exploited. 
Malicious code from one application can access information from another appli- 
cation and leak the information. Using TEEs, application space can be separated 
from each other, and sensitive applications can be restricted to running within the 
TEE. Data that requires high levels of security can be designated to be stored 
and processed exclusively within the TEE and nowhere else [1]. In most modern 
smartphones and tablets, the ARM TrustZone implements a TEE [5]. 


18.2.2.2 Security in Cloud Data Processing 


The use of hardware-based TEEs within cloud environments is referred to as 
“confidential computing” by various vendors, including AMD, Intel, and ARM, 
and on various platforms, including Microsoft Azure or Internet of Things appli- 
cations [2, 6]. TEEs have historically stored small amounts of data, such as 
passwords or encryption keys. Nowadays, they are available on a larger scale in 
cloud environments and can therefore be offered as part of secure database services 
that allow data only to be decrypted in the TEE of the respective servers. In other 
words, the data is encrypted both in transit and at rest. Even though it is not 
encrypted during use, it is still protected since it can only be used within the isolated 
enclave [7]. Using TEEs in cloud environments enables companies to migrate highly 
sensitive data to the cloud. According to an exploratory study [8], understanding 
the regulatory impact of TEEs is essential in driving companies’ cloud adoption, 
especially in industries such as healthcare, life sciences, and banking that are more 
conservative and slow to adapt. 


18.2.2.3 Data Protection Laws 


Today’s computer and mobile systems are becoming increasingly complex, hosting 
a variety of untrusted software components, such as multiple applications interacting 
with user data on a single smartphone or multiple tenants sharing a single cloud 
platform [4]. Thus, systems must protect sensitive data from unauthorized access 
over networks and physical attacks. In addition to storing encryption keys [9], TEE 
is capable of isolating private data, such as contacts, messages, photos, or sensitive 
data, such as credentials, passwords, or medical information. In the event of a loss, 
theft, or malware infection, data is not exposed [10]. 
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18.2.2.4 Cryptocurrency Usage 


TEEs are used to protect cryptocurrency wallets. One example is the ARM 
TrustZone-based Secure Blockchain Lightweight Wallet (SBLWT) [11]. In SBLWT, 
the private key associated with the digital assets is isolated. By using this method, 
retail investors can replace the common practice of backing up private keys on paper 
or insecurely storing them in the cloud [12]. 


18.2.2.5 Demand 


Currently, hardware tokens are used in many aspects of our lives, including one- 
time tokens for multi-factor authentication and tokens for opening cars or buildings. 
In the future, TEEs in our mobile phones may replace these, improving the user 
experience and reducing the costs for service providers [1]. With the many possible 
applications of TEEs in mobile phones, it can be inferred that demand for such 
devices will increase. As of 2021, almost 15 billion mobile devices were operating 
worldwide. The previous year, just over 14 billion mobile devices were operating 
worldwide. By 2025, the number of mobile devices is expected to reach 18 
billion. The demand for TEE systems is likely to increase as these devices become 
increasingly available and related apps become increasingly popular on a global 
scale [13]. 


18.2.2.6 Actors 


There are many key players in the global TEE market, including IBM Corporation, 
Intel Corporation, Fortanix, Inc., Alibaba Group Holdings, Microsoft Corporation, 
Advanced Micro Devices, Inc., and Edgeless Systems GmbH. Securosys SA, 
CYSEC SA, Legic Identsystems SA, and Fortinet Switzerland GmbH are the market 
leaders in the Swiss market. 


18.2[.2.7 Research 


The Secure & Trustworthy Systems Group at ETH Zurich has released an Open 
Framework for Architecting Trusted Execution Environments as a reference for 
creating large systems [14, 15]. On the other hand, Zurich University of Applied 
Sciences (ZHAW) is focused on developing privacy-preserving applications of 
TEE [16]. 

The Linux Foundation's Confidential Computing Consortium is a community 
dedicated to defining and accelerating the adoption of confidential computing [17]. 
TEE Committee members are members of GlobalPlatform [18]. The project aims to 
define an open security architecture for consumers and connected devices using a 
TEE and to enable the development and deployment of services by multiple service 
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providers. In particular, they address API specifications and security evaluation 
frameworks [19]. 


18.3 Consequences for Switzerland 


Swiss providers have established themselves internationally due to the country's 
stability and availability of skilled labor. Many TEE providers have branch offices 
here, and Swiss providers have established themselves in other countries. Examples 
include Securosys SA, Global Platform Services GmbH, and CYSEC SA. 


18.3.1 Maturity 


As noted above, most mobile phones are equipped with TEE functionality [1]. 
Furthermore, TEE has achieved a high level of maturity due to the almost 15 billion 
mobile phones in circulation [13]. 


18.3.1.1 Recommendations and Options 


e Open-source hardware security 
Hardware vulnerabilities are a real threat, which has been exploited most 
recently in 2018, when it was revealed that a wide range of attacks might be 
possible, including Foreshadow, Spectre, and Meltdown. As these vulnerabilities 
affected closed-source hardware, open-source projects aim to close these vulner- 
abilities by making their code base available to a variety of specialists [20—22]. 
* Potential security and/or trust issues 
Cerdeira et al. [23] studied the vulnerabilities and limitations affecting 
existing TrustZone-assisted TEE systems. They found three different categories 
of issues: 


— Critical implementation bugs 
There are continuous bugs found in trusted applications as well as trusted 
OS. 
— Architectural deficiencies 
TEEs have large attack surfaces due to the lack of standard protection 
mechanisms generally found in modern OSes. 
— Overlooked hardware properties 
In most TrustZone systems, there are overlooked properties on the archi- 
tectural and microarchitectural levels that can be exploited and/or used to 
exfiltrate sensitive data. 
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Lack of standards 

The development of TEE has been siloed by a small number of companies, 
which has led to the need for well-established standards. Unfortunately, this 
resulted in proprietary designs (SGX, SEV, TrustZone) with interoperability 
issues. However, a few research groups are committed to developing industry 
standards (see research section above). 


18.4 Conclusion 


With TEE, sensitive data is protected in an isolated enclave, and other applications 
are prevented from accessing the reserved memory enclave. Furthermore, since 
TEES are part of a standard chipset, this inexpensive technology can be leveraged 
across many devices, resulting in increased security, especially in the mobile sector 
and IoT products. 
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Chapter 19 A) 
Confidential Computing ARA 


Yacine Felk 


19.1 Introduction 


Confidential computing protects data during processing by performing computa- 
tions in a Trusted Execution Environment (TEE) and/or through Secure Multi-Party 
Computation. The goal is to encrypt data in the system's main memory without 
sacrificing performance. There are two approaches to protect the data in memory: 
full system memory encryption and individual virtual machine (VM) memory 
encryption, isolated from the hypervisor. This protects data from cold boot and 
physical attacks and attacks originating from other VMs or the hypervisor. CPU 
providers, such as AMD, Intel, and Arm, offer confidential computing technol- 
ogy, and it can be applied anywhere, including public and private clouds, edge 
deployments, and user devices. Encryption is the most common technique, but other 
solutions are also possible. 


19.2 Analysis 


In classical computing, data exists in three states: in transit, at rest, and in use. 
Data traversing the network is “in transit,’ data in storage is “at rest,’ and data 
being processed is “in use.” In a world where we are constantly storing, consuming, 
and sharing sensitive data—from credit card data to medical records, from firewall 
configurations to our geolocation data—protecting sensitive data in all of its states 
is more critical than ever. While techniques to protect data in transit and at rest are 
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now commonly deployed, the third state - protecting data in use—is the new frontier 
being addressed by the Confidential Computing Consortium [1]. 


19.2.1 Definition 


Confidential computing protects data in use by performing the computation in a 
hardware-based Trusted Execution Environment (see Chap. 18). It may also use the 
Secure Multi-Party Computation (see Chap. 17) technology for some of its tasks. 
The goal of confidential computing technology is to encrypt data in use in the main 
memory of the system without compromising performance. There are two aspects 
to protecting the data in memory: 


* Encrypting full system memory 

* Encrypting individual virtual machine (VM) memory and isolating the VM 
memory from the hypervisor (hypervisor is a type of computer software, 
firmware, or hardware that creates and runs virtual machines) 


Whole system memory encryption helps defend data against cold boot and 
physical attacks. Encrypting individual VM memory helps defend data against 
attacks that originate in other VMs on the same physical host and from the 
hypervisor itself. Encrypting individual VM memory and isolating it from the 
hypervisor is critical in today's highly virtualized, multi-tenant environment. There 
are many CPU providers with confidential computing technology; among them, 
AMD (including SEV and its derivatives such as SEV-SNP), Intel SGX or TDX, 
and Arm (with its Trust zone enclave), to name a few. The definition is not limited 
to "cloud" uses but can be applied anywhere, including public cloud servers, on- 
premises servers, gateways, IoT devices, Edge deployments, user devices, etc. It is 
also not limited to such trusted execution being done by any particular processor 
since trusted processing might be in various places, such as a GPU or a network 
interface card. Neither is it limited to encryption solutions, though this is the most 
common technique employed. 


19.2.2 Trends 


Although the adoption of confidential computing is nascent, its potential is tremen- 
dous, not only for the enterprises consuming it but also for the technology and 
service providers enabling it. The Total Addressable Market (TAM) for confidential 
computing in 2021 is 1.9-2.0 billion US Dollars, with expected growth at a 
compound annual growth rate (CAGR) of 90-95% in the best-case scenario, and 40— 
45% in the worst-case scenario through 2026. Exponential increases in cyber risks, 
regulations, and avenues for incremental revenue position confidential computing 
for hyper-growth. Regulated industries like banking, finance, insurance, healthcare, 
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life sciences, the public sector, and defense will drive over 75% of demand [2]. 
Awareness of the benefits of confidential computing and willingness to invest in 
exploration is expected to double across crucial regulated industries through 2026. 

One can wonder about the drivers for use cases in confidential computing. 
Confidential computing encompasses different use cases across many critical 
industries, to name a few: 


* Cloud Key Management Services (KMS). 

* Improve application security on the public cloud and prevent data compromise 
from malicious actors. 

* Scalable replacement for dedicated Hardware Security Modules (HSMs). 

* Sharing sensitive data with third parties for analytics and other multi-party 
computing scenarios. 

* Smart Contracts and Blockchain. 

* Secure data during AI/ML modeling. 

* Secure the intellectual property and data generated or utilized in edge and IoT 
devices from malicious elements. 


19.3 Consequences for Switzerland 


In 2020, the Federal Council established Switzerland's strategy for Public Cloud and 
elaborated an analysis of its impacts on public and administrative data governance 
and protection [3]. Interestingly, the conclusions emphasize the importance of 
hyperscalers (such as GCP, AWS, Oracle, Alibaba, etc.) infrastructure exploitation 
to guarantee reliable and resilient services. This can only be done with the 
exploitation of confidential computing technologies, ensuring that the application 
deployment environment is isolated from the infrastructure provider environment, 
thus ensuring data confidentiality and integrity. When looking at confidential 
computing consortium members, three players are Swiss-based: 


* Swisscom: national telco operator providing the IT infrastructure. 

* Decentriq: providing trusted collaboration application exploiting technologies 

e CYSEC: providing a complete set of confidential computing software creating 
secure private environments and enabling to turn of Public Cloud into Private 
Clouds for any application or workload. 


19.3.1 Implementation Possibilities: Make or Buy 


Competitors of the three Swiss companies mentioned above are insistent with their 
state-owned organizations and delegations. To mention two actual examples: 


* [n March 2022, Fortanix announced the adoption of its Data Security Manager 
(DSM) platform by federal agencies to safeguard sensitive data and mitigate 
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future cyberattacks. Fortanix's DSM platform uses confidential computing to 
help government agencies protect data and IP within Trusted Execution Envi- 
ronments and provide them the ability to move and process encrypted data in 
cloud environments [4]. 

In February 2022, Anjuna announced that Israel's Ministry of Defense (MOD) 
has entered into the public cloud for the first time with Anjuna's software, 
which offers the most robust data security available. With Anjuna Confidential 
Cloud software, the MOD can leverage confidential computing features available 
in cloud servers that eliminate exposure of data in use to insiders, malicious 
software, and bad actors. In addition, sensitive data and applications remain fully 
encrypted with Anjuna—without any software modifications—and stay isolated 
and in complete control of the MOD [5]. 


This section presents the pros and cons of buying or making confidential com- 


puting technologies. For confidential computing, Make is interpreted as exploiting 
Swiss-based solutions enabling the protection of Data in use. In contrast, Buy is 
interpreted as using a foreign solution enabling to turn Public clouds into Private 
ones (Table 19.1). 


Table 19.1 Implementation possibilities for different sectors 


Military 


Swiss Solutions 


Foreign Solutions 


Pros 


Cons 


Pros 


Cons 


More secure 
against partner 
attacks and 
control 


May rely on 
small actors and 
start-ups 


Easy integra- 
tion with other 
armies and 
international 
organizations 


System might 
malfunction 

and transfer 
trusted layer to 
foreign entities 
(companies or 
governments) 


Civil Society 


Added value 
and Trust to 
critical services 
running on Hy- 
perscalers and 
Public Cloud 


Difficult to in- 
teract with oth- 
ers or ensure 
that it is easily 
implemented 


Exchange with a 
larger group of 
people 


More expensive 
and increased 
risk of attacks 


Economy 


More inno- 
vation and 
know-how and 
Strengthening 
of  cybersecu- 
rity skills 


Less depen- 
dency on for- 
eign providers 


Innovation 
through ex- 
ternal actors 
(might enhance 
international 
collaborations) 


Need to assess 
the maturity of 
foreign solu- 
tions 
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19.4 Conclusion 


Given the broad applicability of confidential computing, enterprises are starting to 
experiment with the technologies for their use cases. This also helps to understand 
potential areas of adoption. For the military, one of the most exciting problems to 
solve with confidential computing is the data integrity and code integrity problem. 

In civil society, confidential computing currently benefits several critical parts 
of the economy (enabling compliance with privacy and security regulations), 
primarily banks, and some parts of critical infrastructure, which can take advantage 
of this technology by providing new services/business while exploiting hyper 
scalers infrastructure. Nevertheless, the maturity of technical solutions must still 
be deployed at scale. 
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Chapter 20 A) 
Hardware Acceleration EEN 


Dina Mahmoud 


20.1 Introduction 


With Moore's law and Dennard's scaling no longer fueling the improvement 
in computing performance, new avenues for increasing performance are needed. 
Hardware acceleration is one avenue where many researchers and industrial parties 
work and invest. This is because accelerators can allow for high levels of parallelism 
not supported by general-purpose central processing units. These high levels of 
parallelism are particularly well-suited for many modern applications. Therefore, 
research on and use of hardware acceleration is expected to continue soon. However, 
various parties should consider various aspects when deciding whether to invest in 
hardware acceleration by making their accelerators or buying them from a third 
party. This factsheet presents an analysis of hardware acceleration and the trends 
until 2025. It also discusses the aspects to consider and how specific considerations 
are more important for some actors. 


20.2 Analysis 


With the slowdown of Moore’s law, system developers are examining potential 
avenues for performance improvement of computing systems. As simply increasing 
the frequency or the number of transistors on the chip is no longer feasible, IT 
infrastructure operators have adopted hardware acceleration. Various platforms and 
levels of hardware acceleration exist. 
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20.2.1 Definition 


Hardware acceleration is the use of specialized hardware within a computing system 
designed to handle specific tasks in an optimized way [1]. Central processing 
units (CPUs) are typically responsible for most tasks within a computing system. 
However, tasks requiring high levels of parallelism do not run efficiently on general- 
purpose CPUs. Moreover, many tasks need to be run, and if one of them is slower 
than the rest, it can affect the system's performance. This is where hardware 
acceleration comes in. When a task possesses properties making its execution on 
a CPU suboptimal, system designers include specialized hardware in the system 
to which the task is offloaded. Graphics processing units (GPUs) are among the 
most famous hardware accelerators designed for rendering graphics. Their support 
for parallelism has also made them suitable for other tasks, including machine 
learning acceleration [2]. To avoid long execution times due to the sequential nature 
of CPUs and to avoid software-based exploits, cryptographic algorithms are also 
among the notable applications benefiting from hardware acceleration [3]. Other 
examples of hardware accelerators include application-specific integrated circuits 
(ASICs), which can implement specialized cryptographic accelerators on modern 
systems-on-chip (SoCs), and field-programmable gate arrays (FPGAs). 


20.2.2 Trends 


There has been a steady growth in research on hardware acceleration (as shown in 
Fig. 20.1) and in the adoption of specialized hardware. For instance, specialized 
accelerators like the Apple Neural Engine are making their way into consumer 
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Fig. 20.1 Describes arXiv and IEEE Xplore publications containing the keywords “Hardware 
acceleration" OR “Hardware accelerator” 
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electronics [4]. ARM also offers security algorithm accelerators to support the 
Armv8-A cryptography extensions [5]. Due to the inability of CPUs to meet the 
increasing computing demand, the use of specialized hardware is expected to keep 
increasing until 2025. The increased interest in using hardware accelerators has also 
increased the research on their security in terms of attacks and countermeasures. 


20.3 Consequences for Switzerland 


Hardware acceleration is helpful for more efficient computing. Nevertheless, there 
are many considerations when investing in a hardware accelerator, especially when 
using it for security. If the specialized computing core is to be highly utilized, it 
is helpful to invest in it [2]. This is a likely case for a cryptographic accelerator in 
a system that encrypts and decrypts all outgoing and incoming data, for example. 
However, one needs to consider that the security of hardware accelerators may be 
questionable. Hardware Trojans, fault injection attacks, and side-channel attacks are 
significant threats to hardware cryptographic accelerators. 


20.3.1 Implementation Possibilities: Make or Buy 


This section presents the pros and cons of buying or making secure hardware 
accelerators (Table 20.1). 

Depending on the type of hardware accelerator, many risks and opportunities are 
associated with making or buying it. Making the hardware accelerator from scratch 
gives higher security guarantees as there is no possibility for third-party-implanted 
hardware Trojans. Furthermore, specific countermeasures can be implemented to 
protect against various exploits, such as redundancy, masking, and hiding. However, 
there is significant engineering effort in building a correct, highly performant, 
secure hardware accelerator. If not correctly designed and built, bugs can result 
in misbehavior, reducing the system's performance or reliability. Furthermore, the 
interoperability of hardware accelerators with other components in the system is 
a critical aspect to consider. Buying accelerators usually guarantees that they will 
have standard interfaces, but it is possible to design a specialized core with standard 
interfaces. 

For specialized military applications, where security is of the utmost concern, 
and if accelerators are unlikely to already be in existence, making the accelerators 
is better. Making the hardware eliminates the possibility of hardware Trojans, but 
not of bugs in the design nor potential leakage of information. Coupled with proper 
testing (for security and reliability), making the accelerator would guarantee secure 
and reliable hardware. If the accelerator can be bought, design effort can be saved, 
but guaranteeing the security would come at the cost of extensive security testing 
to guarantee that there are no (intentional or unintentional) backdoors. Making 
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Table 20.1 Implementation possibilities for different sectors 


D. Mahmoud 


Make Buy 
Pros Cons Pros Cons 
Military No  hardware|Potential error|Reuse available|Might contain 
Trojans/More jin implementa-|tested accelera- accidental or 
specialized tion adding at- tors, no design|purposeful 
hardware tack surface effort and accel-|backdoors and 
erator interoper-|increased need 
able with other|for security 
platforms testing 
Civil Society |None None Accelerator Potential secu- 
interoperable — |rity vulnerabili- 
with other|ties 
platforms, reuse 
available tested 
accelerators 
Economy Sell for profit |Liability in case|Faster develop-|Less advantage 
the accelerator ment of prod-jover compe- 
has an error or a|ucts tition features 
security vulner- and extensions 
ability are needed to 
innovate 


accelerators that target widely used applications can have a significant economic 
benefit for businesses. Such accelerators can be sold to many parties resulting 
in high profits. For example, many hardware accelerator designs can be bought 
and used on Amazon Web Services Marketplace [6]. However, this is only the 
case for widely used applications. For more specialized accelerators, making them 
may still prove helpful to the business if the accelerator significantly improves 
their workloads’ performance. However, there may be no direct profit from selling 
the accelerators. Buying pre-existing accelerators will allow for faster end-product 
development if the business entity is not accustomed to building hardware. For the 
remaining actors, buying the accelerators is a good solution. Again, some testing 
would need to be done to guarantee a minimum level of security for the purchased 
hardware. 


20.3.2 Variations and Recommendation 


Hardware accelerators have varying levels of specialization (and flexibility). They 
can also be integrated using a variety of methods in existing systems. The choice of 
which variation to opt for depends on the application and the actor looking to use the 
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specialized hardware. The highest level of specialization is achievable when using 
application-specific integrated circuits (ASICs). However, this translates to higher 
costs in engineering efforts and reduced flexibility. Field programmable gate arrays 
(FPGAs) require less effort to design the accelerator and offer more flexibility at the 
price of remaining within the constraints of the FPGA resources and slightly reduced 
performance. Finally, graphics processing units (GPUs) offer high flexibility and 
parallelism. However, they are not as customizable to the application as FPGAs and 
ASICs and can therefore have lower performance. If the application for which the 
custom hardware is being purchased will be fully utilizing the hardware, and one 
in which performance is of the utmost importance, then an ASIC is the best choice. 
The lower the utilization is expected to be, the better it is to opt for a more flexible 
option. 

Deploying any chosen accelerator still requires considering its security. With 
attacks constantly being demonstrated against ASIC-, FPGA-, and GPU-based 
accelerators, designs should be appropriately secured before deployment. The 
main security risks arise if the device is physically accessible to a remote party. 
However, software access can also be leveraged for a variety of exploits. According 
to the deployment model of the device and the desired security level, various 
protection mechanisms (e.g., redundancy, radiation-hardening, leakage detection) 
can be implemented. 


20.4 Conclusion 


The use of specialized hardware to accelerate applications not performing well on 
modern CPUs will likely continue in the coming years. Consequently, they are likely 
to be used by all actors in various applications. For example, we already see many 
hardware accelerators for cryptographic applications and security. Each actor needs 
to decide on the variation of customized hardware to invest in based on the expected 
usage and the application. Furthermore, security should be essential when designing 
or buying the hardware accelerator. The tradeoff between security and design cost 
must be studied to decide whether to make or buy the accelerator and the amount of 
testing necessary to guarantee the desired level of security and reliability. 
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Chapter 21 A 
Secure Operating System PE 


Llorenç Romá and Bernard Tellenbach 


21.1 Introduction 


The operating system (OS) is the backbone of every modern computer system, 
managing the system’s resources and executing applications. Its security is critical 
as a vulnerability in the OS or any applications running on it can expose the entire 
system to risk. Different types of OS can be considered security-wise: (1) security- 
focused OS and (2) security-evaluated OS. A security-focused OS aims to provide 
a higher level of security by protecting the rest of the system from modules that an 
attacker might exploit. In contrast, a security-evaluated OS is certified by an external 
security-auditing organization. Hardening measures will vary as different use cases 
have different requirements for a secure OS. In addition, different technologies are 
used to complement the security provided by the OS. The trend for secure OSes 
is, among others, the use in container-focused OSes and intelligent vehicles where 
digital features are increasing, as well as in mobile phones. 


21.2 Analysis 


21.2.1 Definition 


Every modern computer system runs a core piece of software executed on top of the 
hardware. This software is the operating system (OS). It is responsible for allocating 
the primary resources of the system (e.g., CPU, memory, communication ports) and 
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supervising the execution of all the applications within the system. Given the crucial 
role of the OS, its security (or the lack of security) might have a significant impact 
on the whole system: a vulnerability in the OS, or any applications running in it, 
exposes a danger to all the other applications running in the system as well as to 
all the data stored in it. This situation becomes highly problematic when the system 
stores important (confidential) data or runs critical applications in high-risk facilities 
(e.g., satellite communications, power plants, banking systems, aircraft systems, and 
SCADA systems). Therefore, it is essential to improve OS security to ensure data 
integrity, confidentiality and availability. 

When discussing secure operating systems, we generally refer to (1) security- 
focused OS and (2) security-evaluated OS. In any case, such operating systems are 
designed to provide a higher level of security. 


(1) Security-Focused OS 

A security-focused operating system should guarantee the secure or trusted execu- 
tion of components that might not be secure (programs). That is, the OS should 
protect the rest of the system from modules that an attacker might exploit to get 
control of the system, for instance, using sandboxing, compartmentalization or by 
isolating cryptography functions and key management. QubeOS is one such OS, 
which is especially valuable in industries where sensitive data has to be securely 
segregated. Other examples include Tails OS and ReactOS. 

In addition, to provide an extra level of security at different layers, OSes may 
leverage other software and hardware technologies and mechanisms, described in 
more detail in other chapters, such as Secure Boot, Trusted Platform Modules 
(TPM), Hardware Security Modules (HSM), disk encryption, network protection 
and other security-related features such as access control lists (ACLs), event 
auditing. 

One example of such hardware-based technology is HSM (Chap. 16). An HSM 
can improve the security of an operating system by providing secure storage for 
cryptographic keys and other sensitive data, such as passwords and certificates. This 
makes it much more difficult for attackers to access the keys and other sensitive data, 
even if they have successfully compromised the operating system or other software 
on the computer. In addition, an HSM can also perform cryptographic operations, 
such as encryption, decryption, and signing. By offloading these operations to the 
HSM, the operating system can reduce its exposure to security threats, as the keys 
and sensitive data are not accessible to the operating system or other software. 

Similarly to an HSM, a Trusted Execution Environment, or TEE (Chap. 18) is 
a secure area of a computing device, typically implemented on the chip itself, that 
provides a secure environment for executing sensitive operations. The TEE is also 
used to provide secure storage for cryptographic keys and other sensitive data, such 
as passwords and certificates, which would protect such assets in a scenario where 
the OS is compromised. For example, iOS uses a dedicated, isolated and hardware- 
backed subsystem called secure enclave to isolate important cryptographic tasks. 
And on Android smartphones, it depends on the manufacturer of the smartphone 
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whether and which type of TEE is present (e.g., Google Pixel smartphones contain 
the Titan M chip for this purpose). 

An example of a software-based solution that improves the security of an 
operating system is SELinux [1]: a security feature built into the Linux operating 
system that provides enhanced security through the use of mandatory access control 
(MAC) policies. SELinux defines access control policies that restrict processes 
and users' actions on files, processes, and network resources. The policies are 
implemented in software and are enforced by the Linux kernel 


(2) Security-Evaluated OS 

A security-evaluated OS is an OS that has achieved certification from an external 
security-auditing organization. However, they still need to implement more security 
mechanisms to make certain system areas more secure (e.g., cryptographic modules, 
fine-grained access control) according to the criteria. Some of the most popular 
evaluation criteria are Common Criteria [2], FIPS 140-2 [3], and ITSEC [4]. 
Examples of such OSs are SUSE Linux or some Red Hat Linux Enterprise versions, 
Windows 10 Enterprise, etc. 

Even though a baseline exists for achieving a minimum level of security, the 
ultimate set of requirements to make a secure OS depends on the specific use 
case. For instance, a mobile OS has different requirements than a container-focused 
OS. Therefore, different measures can be taken to harden the underneath operating 
system for each specific use case. 


21.2.2 Trends 


One envisioned trend of secure OSes is their use in container-focused OSes. 
Over the last five years, many enterprises have moved their primary business 
activities and deployed their applications in container environments. However, those 
environments present particular risks since multiple applications/services run on 
containers on the underlying OS, sharing the same set of resources. Therefore, if 
an attacker manages to compromise the host OS, the rest of the system could be 
affected. For instance, they disrupt the applications running on the top or steal 
critical business information. On the other hand, if an attacker compromises an 
application running inside a container, he/she could try to escape the container and 
gain access to the host OS and/or pivot to other containers, achieving the same 
results as in the previous example. With that in mind, it seems reasonable that a 
container-focused OS might also be security-focused, including features such as 
those mentioned in Sect. 21.2.1. That is why recently, the first standards on container 
security are emerging [5]. Examples of well-known container-focused OSes are 
FlatCar Container Linux [6] or Bottlerocket [7]. However, those are not considered 
secure OSes since some of the features mentioned in previous sections are not 
implemented. Another example of such an OS that focuses on security is ARCA 
OS, from CySec [8], a Swiss startup launched in 2018 in Lausanne, EPFL. 
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Another trend comes with the increasing development of intelligent vehicles. 
Modern vehicle industries (i.e., automotive, aeronautic) deploy more and more 
digital features; therefore, the attack surface widens significantly. A compromised 
component should not be able to endanger the rest of the system. For example, 
a car's Bluetooth vulnerability should not allow an attacker to control the brakes. 
Several efforts are being carried out to improve the development of vehicle-secure 
OSes. For instance, Automotive Grade Linux [8] or Red-Hat In- Vehicle OS [9] and 
the tendency should move to increase the safety of future intelligent vehicles. 

Finally, in the last years, a trend toward more hardware security components, 
especially for separation of cryptographic functions and implementation of critical 
operations has emerged. Examples of technologies that are part of this trend have 
been mentioned above, namely HSM, TEEs and SELinux. These components are 
being used widely in critical infrastructures but also in smartphones to improve the 
security provided by the operating system. 


21.3 Consequences for Switzerland 


The use of secure operating systems is beneficial not only for high-risk systems but 
also for individuals who want to protect their assets. 

In more critical environments, such as governments and military systems that 
typically have higher security restrictions, security-evaluated OSes are a convenient 
option used in other countries, ensuring those systems fulfill a set of security 
requirements. In addition, these OSes ensure a minimum level of trustworthiness 
and security by limiting access to specific resources and isolating components. 

For Switzerland, a movement toward more secure operating systems is required 
to improve the security of sectors such as the banking and the military sectors. 

Individuals and businesses are also the targets of cyber attackers. While individ- 
uals often opt for functionality over security, it is crucial to raise the importance of 
using security-focused OSes with extra security features to reduce the attack surface 
and protect their assets. 


21.3.1 Implementation Possibilities: Make or Buy 


Large amounts of knowledge, human resources, and time is required to create an 
OS from scratch. An OS is a piece of software responsible for controlling a device's 
hardware and providing an interface whereby an operator can use it. However, most 
OSes are much more sophisticated and perform many tasks: manage multitasking, 
memory management, multiple processor cores, networking support, and drivers 
for all standard hardware. For instance, the Linux kernel (i.e., one part of an OS) 
consists of several millions of lines of code. Therefore, if the development of an OS 
were already a complex task, adding security concerns on top of that would require 


2] Secure Operating System 119 


Table 21.1 Implementation possibilities for different sectors 


Make Buy 
Pros Cons Pros Cons 
Military Full control'Error in imple-| Working solu-|Might contain 
over im- mentation  and|tion accidental or 
plemented lack of compat- purposeful 
modules ibility with ex- backdoors 


isting modules 
and libraries 

Civil Society None Lot of resources |Easy adoption |Associated cost 
needed to im- 
plement a func- 
tioning solution 


Economy In-house solu- Liability in|Costofdevelop-'Not as flex- 
tion case of security mentiszero and|ible as self- 
holes choose solution developed 
according to to|solution 
needs. 


even more resources. For instance, the vulnerability management system is typically 
the most critical and time-consuming part of an OS conception. In addition, one of 
the most significant shortcomings of OSes built from scratch is the limited support 
for existing software, which could limit the functionalities of a given system. 

On the other hand, given the availability of existing solutions buying appears to 
be a preferable option, especially regarding the maturity of the existing solutions 
compared to an OS developed from zero and given the complexity of such a task. 
When building an OS from scratch, many bugs might be introduced, and the time to 
reach a certain level of stability and maturity might require several years. Operating 
systems in the market have been developed for decades, and security has been 
considered a significant concern to all of them. In addition, one could implement 
additional security features on top of an existing OS to fill the needs (e.g., some 
specific cryptographic functions or authentication mechanisms) (Table 21.1). 


21.4 Conclusion 


Although the use of secure operating systems is not a definitive solution to protect 
against all the dangers of current cyberspace, it is clear that it can reduce the 
impact of individual vulnerable applications or modules being exploited on the 
whole system. Moreover, improving the security of the operating system is only 
one measure that can be adopted to reduce the attack surface: the combination 
of several other technologies, such as the ones discussed in other chapters, might 


120 L. Romá and B. Tellenbach 


increase the protection against cyber attacks and limit the ability of an attacker 
to exploit our systems. In addition, the human factor is still a significant factor 
concerning the overall security of a system. A secure OS will reduce the attack 
surface. Nevertheless, training teams of users is essential for security. 
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Chapter 22 A 
Biometrics EEN 


Sophia Ding, Emilia Nunes, Pascal Bettendorff, and Weyde Lin 


22.1 Introduction 


This chapter provides an overview of biometrics’s current state and future trends, a 
technology that measures physiological characteristics for individual identification. 
The technology is based on three types of biometrics: biological, morphological, 
and behavioral. The data collected from a biometric sample is stored on a storage 
medium and is compared with a database during authentication. The biometrics 
market is growing globally and is expected to reach $68.6 billion by 2025. Future 
trends in biometrics include increased usage in the sharing economy and unstaffed 
shops, technical advancements in real-time biometric authentication and increased 
privacy concerns. 


22.2 Analysis 


Recent years have seen a surge in the use of biometric authentication methods. 
Technological progress, especially in the Internet of Things (IoT) and Artificial 
Intelligence (AI), makes it possible to measure biometrics quickly within a reason- 
able amount of time and with high-quality results. As a result, it is possible to solve 
several challenges in existing security concepts by using biometrics. However, their 
use also raises ethical and regulatory concerns. 
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22.2.1 Definition 


In biometrics, physiological characteristics (e.g., fingerprints, facial features, 
voices) are measured so individuals can be identified [1]. It is important to note 
that biometrics are unique biological characteristics, which means that no two 
individuals, not even twins, possess the same biometrics. Biometrics are used for 
various purposes, including fighting crimes, screening people at borders, combating 
fraud, and protecting access to a secured asset (such as computer networks, 
hardware, or software) [1, 2]. 
Biometric security is divided into three groups [3]: 


* Biological biometrics analyze characteristics at the genetic and molecular level 
(e.g., DNA or blood). 

* Morphological biometrics is based on the body's structure (such as the iris or 
fingerprint). 

* Behavioral biometrics are based on patterns unique to each individual (e.g., how 
people walk or speak). 


A biometric sample is obtained from an individual (e.g., a fingerprint or iris 
scan). Data is extracted from the sample and stored on a storage medium (e.g., a 
smart card). If a person requests authentication, the system compares the person's 
biometrics with the data in the database. The system authenticates a person if there 
is a match [4]. 

Since biometry does not share the same characteristics of other authentication 
techniques, such as passwords or PIN codes, it is widely used as a second- 
factor authentication. In addition, on mobile phones and laptops, biometric-based 
encryption is widely used. 

There has been a steady increase in the importance of data protection. It has been 
reported that users are reluctant to entrust biometric data, particularly fingerprints, 
to solution providers [5]. Some authentication systems try to address this issue 
by storing a user's biometric data locally on the device itself instead of storing 
it remotely on a server. For example, Apple's Touch ID technology stores a 
mathematical representation of the user's fingerprint locally in a secure enclave, 
which is inaccessible by the device's operating system [6]. This makes it more 
privacy-friendly, leading to higher adoption rates. 
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22.2.2 Trends 
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Globally, the biometrics market is proliferating. The global biometric market is 
expected to reach $68.6 billion by 2025, from $36.6 billion in 2020 [7]. Further- 
more, due to the increasing number of terrorist activities and the increased theft of 
sensitive data, the biometrics market is expected to grow at a significant rate [5]. 
Future trends in biometrics include (Table 22.1): 


Table 22.1 Future trends in biometrics 


Trend Cate- 
gory 


Trend 


Description 


Use Cases 


Sharing 
Economy 


During the next few years, biometrics will be- 
come increasingly prevalent in the sharing econ- 
omy (e.g., car sharing, apartment sharing), en- 
abling organizations to offer trustworthy services 
and improve customer satisfaction. 


[8, 9] 


Unstaffed 
Shops 


In these stores, customers must download a mobile 
app that must be scanned before entering the store. 
A facial recognition device verifies the identity of 
customers and a digital camera records all actions 
taken by customers. The number of pilot shops is 
anticipated to increase in the coming years (e.g., 
the "VOI Cube" by Migros). 


[10, 
11] 


Technical 
Develop- 
ment 


Real-time 
Biometric 
Authentica- 
tion 


By using real-time biometric authentication sys- 
tems, criminal acts, such as hacking and database 
breaches, are reduced while data privacy is main- 
tained. Progress in the development of exist- 
ing techniques (Biometric Encryption, Behavioral 
Biometrics) combined with the Internet of Things 
(IoT) and artificial intelligence (AI) has increased 
their applicability. For example, the global market 
for behavioral biometrics is expected to reach $3.9 
billion by 2025. 


[12, 
13] 


Cloud-based 
Biometrics 


A cloud-based biometric solution enables compa- 
nies to use and scale search and enrollment capa- 
bilities quickly and efficiently. Using biometrics as 
a Service (BaaS) solutions, companies can prevent 
identity theft and data breaches without building 
their own biometric systems. The global market 
for biometrics-as-a-service is forecasted to grow 
by 16% a year, reaching $10.4 billion by 2030. 


[14, 
15] 
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Multimodal |Multimodal authentication systems use two or|[16] 
Authentica- |more biometric features to provide an additional 
tion layer of security for organizations. As fraud 
attempts increase, biometric anti-counterfeiting 
technologies are being developed to detect them. 


Cyberattacks| There is a close connection between biometric [18] 
in the Age of technology and artificial intelligence. As a result, 
AI cybercriminals have new opportunities for more 
sophisticated cyberattacks. By mimicking victims' 
facial features, deep fakes can be used to exploit 
identification systems. Similarly, adversarial at- 
tacks manipulate sensory data. Other attacks in- 
clude morphing (the manipulation of reference 
data) and backdoor attacks (the manipulation of 
training data). In the future, these attacks are ex- 
pected to increase in frequency. Another issue re- 
lates to the immutable nature of biometrics [17]. 
While a breached password is easily changed, most 
biometrics are not spontaneously malleable (e.g., 
fingerprints remain the same throughout life, the 
facial change would require surgical intervention). 
This poses a significant post-breach risk for users 
and highlights one of the large drawbacks of bio- 
metric authentication. 

Ethical and|Several countries are currently working on regu-|[19] 
Regulatory /lating artificial intelligence. For example, the pro- 
Risks in the|posed EU AI Act prohibits using AI systems clas- 
Age of AI [sified as unacceptable risk systems, such as real- 
time, remote biometric identification systems used 
in public spaces for law enforcement purposes. 


Risks 


22.3 Consequences for Switzerland 


The Swiss private sector already uses biometric identification and authentication 
extensively (e.g., for school canteen access, attendance, and access to IT systems). 
However, aligning these use cases with data protection laws takes time and effort. 
According to the Swiss Federal Data Protection and Information Commissioner 
(FDPIC), biometric systems should be used with caution, and many recommen- 
dations are provided on how to use them effectively [20]. 

Using biometric fingerprints has been a part of Swiss law enforcement for over a 
century [21]. In recent years, more advanced biometric methods have been consid- 
ered (especially facial recognition). There is a legal basis for their use in criminal 
investigations, but some legal experts argue that they are insufficient [22, 23]. In 
particular, facial recognition is opposed by several groups due to privacy concerns, 
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violations of human rights, and fears of mass surveillance [24-26]. While Swiss 
law enforcement agencies are aware of the risks associated with facial recognition 
technology, they closely monitor the development of frameworks for the responsible 
use of this technology. Although some high-level frameworks exist, they need to 
include concrete recommendations for implementation [27]. 

Biometric technology is a subject of active research in Switzerland. For example, 
the Swiss Center for Biometrics Research and Testing at IDIAP, https://www. 
biometrics-center.ch, or the Center for Security Studies at ETH Zurich, https:// 
css.ethz.ch. In addition to conducting commercial research on identity and data 
governance, IBM Research Zurich researches biometrics. Also, many companies 
sell biometric products and solutions, such as Touchless Biometric Systems AG 
(Pfáffikon SZ), Tech5 (Geneva, GE), as well as research spinoffs, such as PXL 
Vision (Zürich, ZH), and BWO Systems (Schenkon, LU). 


22.3.1 Implementation Possibilities: Make or Buy 


A biometric system is vulnerable to various attacks, from faking input (for example, 
copying fingerprints) to attacking the technology itself. As a result, designing and 
implementing secure biometric authentication methods requires highly specialized 
technical expertise and experience. According to the British National Cyber Security 
Centre, buyers should ask vendors to conduct a detailed security analysis of their 
product [28]. 

A fully integrated solution offers significant advantages as it aligns biometric 
hardware, key generation, validation, and storage with the cryptographic provider, 
providing a coherent control environment. A well-established example is IBM's 
Trusted Platform Module and Fingerprint Reader ecosystem [29]. 

In recent years, there has been a push for the creation of open-source solu- 
tions [30]. While their performance may be comparable to commercial solutions, 
they usually need a more in-depth security analysis. 

Organizations must choose both hardware and software when sourcing biometric 
technology. For fingerprinting, for instance, the choice of hardware is influenced by 
factors such as the company's industry, the age range of users, and the climate. 
In addition, the choice of hardware and software can impact the computational 
workload of the biometric system [31]. 


22.3.2. Variation and Recommendation 
There are several military applications: 


* Biometric identification friend or foe: It is essential to distinguish between 
friends and foes on the battlefield and at borders and checkpoints [32]. 
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* Weapons with fingerprint lock: Weapons with fingerprint lock. A signature gun 
(smart gun) is a firearm that an authorized individual can only fire. A security 
function such as this can prevent third parties from misusing the weapon [33]. 


22.4 Conclusion 


The trend in biometrics is toward faster, more secure, and more convenient solutions. 
As a result, there is an increasing market share of integrated systems, which 
integrate hardware, key generation, validation, and storage, as well as cryptographic 
providers. As biometrics become more prevalent and their integration with AI 
systems increases, ethical and regulatory questions become more pressing. 
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Chapter 23 A) 
Electronic Voting ARA 


Louis-Henri Merino 


23.1 Introduction 


Remote electronic voting, where eligible voters can cast votes from anywhere in the 
world on their device, promises to increase voter turnout, improve accessibility, and 
reduce costs. However, building a secure online voting system is complex, involving 
four essential requirements: integrity, privacy, coercion-resistance, and availability. 
Moreover, the successful deployment of a secure online voting system would require 
close collaboration among the public and private sectors and academia. The military 
and intelligence agencies could play an essential role in supporting the e-voting 
operator against cyberattacks meant to deteriorate public trust in the voting outcome. 


23.2 Analysis 


23.2.1 Definition 


Online voting promises to increase voter turnout, improve accessibility (e.g., support 
for multiple languages) and reduce cost for voters [1, 2]. For organizations, online 
voting can help increase productivity and decrease costs [2]. 

However, the outcome of an election event will usually have real-world impact, 
making security paramount [3, 4]. At the moment, the approaches to securing an 
election are still being debated, evolving since at least 1987 [3, 5-8]. 
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Table 23.1 Necessary security requirements for an online voting system 


Property Requirement |Definition 

Vote Compliance Integrity Invalid votes must be discarded. 

Vote Secrecy Privacy Voter's votes must be confidential. 

Voter Intention Coercion- Voters can cast their intended vote. 

Resistance 

Individual Verifiability Integrity Voters are capable of checking the inclu- 
sion and the correctness of their votes 

Universal Verifiability |Integrity Anyone can verify the outcome of a voting 
event. 

Resiliency Availability — 'E-voting authority registers votes and re- 
veals outcomes promptly. 

Transparency Integrity Anyone can audit the e-voting platform 
and the deployed infrastructure. 


In Table 23.1, compiled from a variety of academic, industry, and government 
sources [8-11], we present, to our knowledge, the necessary security requirements 
for an online voting system suitable for high-stakes voting events. There are namely 
four crucial requirements: integrity, privacy, coercion-resistance, and availability. 
Integrity ensures that every participating eligible voter can cast their vote and that 
the outcome of the voting event has not been altered; privacy ensures that the vote 
of any given voter is not revealed; coercion-resistance ensures that the voter can cast 
their intended vote; and availability ensures that the e-voting authority accepts and 
tallies votes promptly. 


23.2.2 Trends 


Market and Application The most apparent market for remote e-voting systems 
is government electoral agencies. However, many other actors could benefit from 
remote e-voting, some of which include a government's judicial branch (e.g., jury 
voting), a government's legislative branch (e.g., voting on legislative proposals), 
corporations (e.g., boardroom voting), and academic institutions (e.g., student 
representative elections). Each use case may have it is own subtle specialized 
requirements; for example, for boardroom voting and jury voting, where the number 
of voters is small, it is preferable to release the outcome without releasing the 
number of votes per option since it could deter voters from voting their actual 
preference [12]. 


Actors The design of an e-voting system for a high-stakes use case will likely 
require the involvement (and close collaboration) of actors from all sectors: 
academia for research, industry for technology transfer and support, and government 
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for regulations. This collaboration is observed with the development of the Swiss 
Post E-Voting system with the intent for use in Swiss elections and referendums [10, 
11, 13]. Academics have proposed various electronic voting schemes, found critical 
vulnerabilities in the Swiss Post E-Voting System, and given feedback on proposed 
Swiss regulations. 


23.3 Consequences for Switzerland 


23.3.1 Implementation Possibilities: Make or Buy 


See Table 23.2. 


23.3.2 Variations and Recommendation 


While online voting does not have direct military usage, the military could have 
an impact on online voting in the public sector. A successful cyber-attack on the 
nation's e-voting platform may cause significant consequences to society (e.g., 
reducing public trust in the outcome) [14, 15]. A denial of service attack, for 
example, could cause votes to be rejected, alternatively, cause a delay in the results. 
In such circumstances, the support of the military may help e-voting operators 
remain available and secure despite the most sophisticated attacks. 


Table 23.2 Implementation possibilities for different sectors 


Make Buy 

Pros Cons Pros Cons 

Civil Society |Collaboration |High costs Potentially May lack 
between lower cost transparency 
academia, in its security 
industry and requirements 
government 

Economy Tailored for|Primarily a cost|Lower cost (no/May require 
the use case in|reduction strat-|dedicated inter-|adapting to 
question egy with highinal resources) |the abilities of 

costs to develop the purchased 
system 
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23.4 Conclusion 


Remote E-Voting systems promise substantial benefits from an increase in conve- 
nience, productivity, and accessibility to a decrease in costs. However, these systems 
must satisfy various security requirements to become eligible for high-stakes voting 
events (e.g., governmental elections). The author believes that the military and 
intelligence agencies could play an essential role in ensuring the uptime of a 
deployed e-voting system, helping to achieve the availability security requirement. 
In the meantime, remote e-voting systems can already be deployed in a variety 
of environments that require less stringent security requirements: Academia and 
industry (e.g., student elections, boardroom voting). 
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Chapter 24 A 
Data in Transit Security PE 


Roland Meier 


24.1 Introduction 


Data in transit, or network traffic, can be eavesdropped on and potentially leak 
sensitive information. This information can be in the form of the payload (the 
message being transmitted), headers (which contain information about the sender 
and receiver), or metadata (protocol information about the packet). To prevent 
information leakage, various technologies exist that encrypt the payload and head- 
ers, such as MACsec, IPsec, and TLS. However, it is more challenging to protect 
metadata, as it involves hiding more than just the contents of the packet. Techniques 
to hide metadata include obfuscating packet sizes, timing, and path, but these 
methods often come with trade-offs, such as increased latency or decreased network 
performance. Therefore, it is essential to consider data security in transit and 
implement appropriate measures to prevent unauthorized access and information 
leaks. 


24.2 Analysis 


24.2.1 Definition 


Data in transit (i.e., network traffic) is susceptible to eavesdropping and can leak 
information through the following channels: 


e Payload: The packet payload contains the message transmitted (e.g., parts of a 
website or email). 
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* Headers: The packet headers contain the information required to deliver the 
packet to the correct destination and parse it correctly by the receiving applica- 
tion. Packet headers, therefore, contain information about the sender and receiver 
of a packet (e.g., their IP and MAC addresses) and information about the user 
application and protocol. 

* Metadata: Metadata in network traffic is normally considered as the protocol 
information including the packet headers They are not contained in the packet 
directly but can be observed when recording the packet (e.g., the packet size or 
the time when it was received). If a packet is received at multiple locations, this 
reveals additional information (e.g., the path a packet takes through the network). 


For an eavesdropper, extracting information from unprotected headers and 
payloads is easy. Nevertheless, even if headers and payloads are protected (i.e., 
encrypted), several so-called traffic-analysis attacks can infer sensitive information 
based on traffic metadata. 

For each type of information channels, there exist technologies to prevent the 
leakage: 


Protecting Payload and Headers The usual approach to protecting the payload 
and packet headers is to encrypt them. To do so, various encrypted protocols exist 
that encrypt data on various layers (not only the payload but also some headers). 
Widely used protocols include MACsec, IPsec, and TLS, which are explained in 
more detail below. 


e MACsec (Medium Access Control security) [1]: Operates on the link layer and 
encrypts packets between (layer 2) switches. MACsec encrypts the entire packet, 
including all headers except the source and destination addresses in the link 
layer (i.e., the source and destination MAC address). MACsec is typically used 
to protect individual links in a local area network (LAN) or wide area network 
(WAN) against eavesdropping. 

* [Psec (Internet Protocol Security) [2]: Operates on the network layer and can 
be used in two modes: transport mode and tunnel mode. In transport mode, 
IPsec encrypts the payload of the IP layer (i.e., the headers of the transport-layer 
protocol and packet payloads). In tunnel mode, IPsec creates a tunnel from the 
sender to a destination and encrypts the IP header and its payload. To do so, it 
encapsulates the original IP packet within a new IP packet whose destination 
address is the tunnel's endpoint, thereby revealing the IP addresses of both 
ends of the tunnel. IPsec is typically used to create tunnels between locations 
connected over an untrusted network (e.g., the Internet). For more information 
about tunnels and so-called Virtual Private Networks (VPNs), see Chap. 26. 

* TLS (Transport Layer Security) [3]: Operates on the transport layer and encrypts 
only its payload. Therefore, it does not hide other packet headers such as the 
source and destination IP addresses. TLS is used for many applications, but its 
most well-known use case is web browsing over HTTPS. 
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Protecting Metadata Hiding packet metadata is more difficult compared to hiding 
packet contents because hiding metadata involves more than just encrypting the 
actual traffic. Completely hiding metadata is often impossible because packets need 
to be sent at some point. There exists various options: 


* Obfuscating packet sizes: Obfuscating the size of packets or flows can be 
achieved by adding padding to the original contents of a packet or by splitting 
one packet into multiple fragments. For example, IPsec and TLS allow adding 
a random amount of padding to each packet before encrypting it to conceal its 
real size. However, it has been shown that this padding is too little to prevent 
traffic-analysis attacks [4]. 

e Obfuscating packet timing: Obfuscating the timing of packets can be achieved 
by delaying the sending time of a packet. However, this inevitably leads to an 
increase in latency and, therefore, a decrease in network performance. Therefore, 
systems to hide the timing mainly exist as prototypes presented in research papers 
(e.g., [4—6]), and are rarely used in practice. 

e Obfuscating packet's path: Obfuscating the path of packets can be achieved by re- 
encrypting the packet multiple times while it crosses the network. The most well- 
known technique to do this is Onion Routing and its implementation in the TOR 
network. However, more than re-encrypting packets is needed; packet timings 
and sizes need to be concealed, too, in order to prevent correlation attacks such 
as the ones discussed in [7]. 


Reliably preventing traffic analysis attacks based on metadata requires making 
the traffic that crosses the network independent of the actual production traffic in 
terms of packet size, timing, and contents. This can be achieved by reshaping and 
encrypting production traffic such that it is sent at a fixed rate, and the encryption 
makes packets indistinguishable from each other. 

Unfortunately, preventing traffic analysis attacks typically adds large amounts 
of overhead in terms of additional delays, packet padding, and cover traffic and, 
therefore, often comes at the cost of throughput decrease or latency increase. 


24.2.2 Trends 


The percentage of encrypted network traffic has risen continuously in the past years, 
and we expect this trend to continue in the following years. 

A major driving factor for this is that the "Let's Encrypt" certification author- 
ity [8] allows everyone to obtain TLS certificates for free. This led to a rapid increase 
in the websites reachable over encrypted connections, i.e., over HTTPS. In addition, 
website operators are further incentivized to deploy TLS because it leads to a better 
ranking in the Google search results [9]. 

In addition, QUIC, a new transport-layer protocol, was standardized in 2021 [10]. 
In contrast to TCP and UDP, QUIC is encrypted by default and provides better 
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performance and reliability than TCP and UDP. Google initially introduced it and 

supports it in its products, but other platforms and services now support it as well. 
TLS and QUIC are increasingly used to encrypt traffic that was traditionally not 

encrypted. For example, DNS queries are now sent over encrypted channels. 


24.3 Consequences for Switzerland 


Popular websites and services in Switzerland enforce encrypted connections leads 
to most web network traffic in Switzerland being encrypted. In addition, the major 
Swiss web hosting providers support TLS encryption for their customers' websites 
free of charge and with an easy setup, further increasing the percentage of encrypted 
traffic. 

On the other hand, measures to protect metadata are not widespread in Switzer- 
land, leaving network traffic vulnerable to traffic-analysis attacks. However, these 
attacks primarily exist as research prototypes only. 


24.3.1 Implementation Possibilities: Make or Buy 


Buy: The widely available secure transport protocols and their implementations in 
popular libraries should be used for encryption. 

Make: For sensitive environments, benefits outweigh metadata protection 
schemes' potential costs (e.g., additional overhead). Unfortunately, there is 
no widespread solution here, and it would be necessary to develop a new 
solution for Switzerland's use case (e.g., based on research projects from Swiss 
universities [5, 6, 11, 12]). 


24.4 Conclusion 


Unprotected traffic allows an eavesdropper to learn sensitive information about 
ongoing communication. To mitigate this, there exist many communication pro- 
tocols that encrypt traffic on different layers. These protocols (MACsec, IPsec, and 
TLS) are widely used today and achieve good security for network traffic. However, 
even if traffic is encrypted, it leaks information through its metadata. Preventing 
this is more challenging, leads to more communication overhead, and is rarely done 
today. 
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Chapter 25 A 
Blockchain EEr 


Linus Gasser and Jean-Pierre Hubaux 


25.1 Introduction 


A blockchain is a decentralized system for managing a block-based data structure. 
Unlike centralized systems that rely on honest operators, blockchains can function 
even when some participants act maliciously, as long as more than half of the 
entities in the network are honest. Digital Ledger Technologies (DLT) encompass 
systems like blockchains, which offer decentralized data management. Blockchains 
differ from databases in that they are entirely decentralized, while DLTs have 
some decentralized components and rely on the majority of participants for trust. 
Blockchains vary in data structure, content, visibility, node onboarding, consensus 
algorithm, wallets, and second-layer services. The use of blockchains in finance, 
under the name of cryptocurrencies, is currently the most visible application, but 
the industry is still heavily debated and subject to speculation. 


25.2 Analysis 


25.2.1 Definition 


In 2008, in his seminal work on Bitcoin, Satoshi Nakamoto introduced a data 
structure (“a chain of blocks”) as well as a consensus mechanism that enables 
a set of entities to maintain the general ledger of a currency in a distributed 
manner [1]. Furthermore, the construction provides security guarantees as long as 
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more than half of the entities participating in the distributed network are honest. 
Parts of the difficulty and confusion when talking about “Blockchains” stems from 
the fact that there is no precise definition of a “Blockchain”. Some consider the 
whole ecosystem, including all its components, the consensus mechanism, and the 
execution environment for a scripting language running on the participating nodes 
as "the Blockchain". In contrast, others restrict the focus on the underlying data 
structure that consists of blocks containing data that build a chain. 

A broader term for blockchains is Digital Ledger Technologies (DLT). This 
includes systems that do not rely on linked blocks but offer decentralized data 
management. The difference between blockchains, DLTs, and databases can be 
summarized as follows: 


* Database: allows to store, retrieve, and update data according to a set of rules 
(access control); the trust relies on the administrators 

* DLT: like a database, but some of the system components are decentralized; the 
trust relies on the majority of participants 

* Blockchain: a special type of DLT where all of the system components are 
decentralized 


Thousands of blockchain systems have already been implemented. Here are the 
main concepts differentiating their various kinds: 


* Data structure—how the data is stored: this is either a single chain of blocks or 
blocks that link to more than one other block to create a Directed Acyclic Graph 
(DAG) 

* Data content—what is stored: only asset transactions, or scripting possibilities 
(smart contracts) 

* Data visibility—who can view the data: global blockchains offer full access to the 
data (public), while some local blockchains have a restriction at the network level 
(private). Some newer global systems protect the data using a zero-knowledge 
proof system [2, 3]. 

* Node onboarding—how new nodes are accepted in the system: Bitcoin uses 
Proof of work (PoW), where new nodes spend energy to join. Newer blockchains 
use Proof of Stake (PoS), where new nodes need to stake money to join. More 
centralized DLTs use Proof of Authority (PoA) and have a centrally managed list 
of nodes. One can add that PoW systems are also called Permissionless systems, 
while PoA systems are called Permissioned systems. PoS is in between those 
two. 

* Consensus algorithm—how conflicting data gets stored: the simplest system is to 
accept only a linear list of non-conflicting blocks, but this can take time. PBFT 
systems vote on every new block and do not have to wait. Other systems exist 
like Avalanche [4] or Narwhal/Tusk [5] 

* Wallets—storage of user data: most DLTs use an access control system based on 
private keys. As there is no central service to restore access in case of loss of this 
private key, the wallets are of utmost importance in DLT systems 
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* 2nd layer—services on top of the DLT: as DLTs in 2022 are too slow for 
worldwide usage. Some offer external protocols which use the underlying DLT 
to synchronize in regular intervals 


25.2.2 Trends 


Market It is still very much debated where the money in DLT investment comes 
from and how it is used. While some people promote blockchains as the ultimate 
tool for a libertarian lifestyle [1], others think that blockchains only serve as an 
opaque technical background for investment fraud. For example, Alvin [6] thinks 
that Bitcoin is a unique asset in history and can best be compared with a zero- 
coupon perpetual bond or an indefinite call option. This is an ironic way to say that 
investing in blockchains is the same as high-risk speculation. 


Applications In 2022, most of the visible applications of blockchains are in the 
financial sector under the name of cryptocurrencies [7]. This includes invest- 
ment/speculation in the form of assets like Non-Fungible Tokens (NFTs), Decen- 
tralized Finance (DeFi), e.g. Uniswap. However, contrary to its name, only a few 
cryptocurrencies are currently used for digital payment. If blockchains get regulated, 
they might also be used for day-to-day payment services, where they will have to 
compete with VISA, PayPal, Stripe, and others. 

DeFi currently allows the exchange of tokens from one blockchain into tokens 
from another. In the future, this will also include trading fiat money, lending, and 
receivables management. 

NFTs bind a public key to a digital token and can be used by artists to sell their 
art. Depending on the license, the current holder of the digital token has some rights 
toward the piece of art [8]. The opinion on NFTs is also very split between Ponzi 
Schemes and a fairer way for artists to make money. They will undoubtedly continue 
to be used for brand-aware marketing, but real-world use cases are difficult to find. 

Finally, Decentralized Autonomous Organizations (DAOs) want to allow more 
direct investments into innovative systems in the blockchain space. However, 
most attempts have been crippled by wrong programming and subsequent loss of 
investments. Another fact that makes DAOs difficult is missing legislation, which 
makes it difficult to trust the investment. 

A growing list of applications is produced around blockchains' tracking and 
logging capabilities: due to their underlying data structure, all history is available 
forever. Itis also easy to onboard new actors if the wallets are implemented in a user- 
friendly way. This makes supply chain management easier for all involved partners 
while removing the need for a central actor [9]. This supply chain management can 
be helpful for civil purposes like determining where all ingredients for a medical 
drug come from. However, also the military must know where the different parts 
come from and whether they are trustworthy. An example is the detached labels, 
where the parts are identified by a QRcode, which refers to the data on a blockchain. 
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A third application that is being pushed is identity management. Several actors 
started to push Self-Sovereign Identities to increase users' confidence in this topic. 
The users manage these identities, which can be stored on a blockchain. This 
decreases the risk of a single actor behaving maliciously. 


Actors On the research front, the Web3 foundation, the Ethereum Foundation, and 
Protocol Labs are three significant sources of grants for new technology in the 
blockchain space. They are responsible for many new protocols and algorithms in 
that space. 

Even though cryptocurrencies are supposed to be decentralized, there are two 
prominent companies helping users buy and sell those coins: Binance and Coinbase. 
In 2022, Binance alone traded more than all other exchanges combined! 

Upcoming prominent actors include countries starting to regulate blockchain 
technology and, more specifically, cryptocurrencies. While China has already 
passed legislation to regulate blockchains strictly, India and Europe have several 
laws in preparation. The USA law proposals are more geared toward integrating 
cryptocurrencies into the rest of the financial system. 


Research For blockchain systems to be helpful globally, much research still needs 
to be done. The road is long to fulfill the goal of having a global, fully decentralized 
ledger that allows the transaction of assets and handling personal data like self- 
sovereign identity. 

Starting from the current blockchain's performance problems, the governance 
model most appropriate for these systems needs to be more transparent. Then there 
is a need to be able to exchange between different blockchains, and current solutions 
still fail too often. New algorithms are needed to handle private data on a public 
ledger for privacy reasons. To include outside information in blockchains, like stock 
markets or other data, so-called Oracles will be needed. Furthermore, much research 
must be done to ensure secure operation even once powerful quantum computers 
exist. 


Smart Contracts Instead of storing transactions in the block, most modern 
blockchains can also store pieces of a program in a block. These programs are 
called “smart contracts". “Smart”, because users can interact with these programs 
by sending new transactions to the blockchain. "Contract", not in a legal sense, but 
because they are immutable and represent all possible interactions of the user with 
this program. The following list in "Applications" gives some examples, as does the 
chapter about Web3 (Chap. 34). 


25.3 Consequences for Switzerland 


While in the beginning, cryptocurrencies have been hailed as the new banks 
and the downfall of the traditional financial system has been proclaimed, current 
expectations are much lower. So far, cryptocurrencies have been used as an 
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Table 25.1 Implementation possibilities for different sectors 


Private Public 
Pros Cons Pros Cons 
Military More secure|Difficult to in-|Easy  integra-|System might 
against partner teract with oth-|tion with other|malfunction 
attacks ers armies if majority of 
participants 
misbehave 


Civil Society |Easier to set up|Difficult to in- Exchange witha|More expen- 
for small groups|teract with oth-|larger group of|sive, increased 


ers people risk of attacks 
Economy Control the sys-|Less innovation |Innovation Need to cre- 
tem through — new|ate new busi- 


disruptive ideas |ness models 


investment/speculation vehicle. Other uses in the financial sector will complement 
traditional services but probably not disrupt them on a large scale. This is due to 
missing regulations, which makes investing and using DLT technologies very risky. 

Contrary to most other countries, Switzerland has clear regulations regarding 
blockchains that allow building such systems without legal risks [10]. The crypto- 
valley in Switzerland, centered around Zug but also in Geneva and Neuchatel, has a 
thriving ecosystem of blockchain-related companies. 


25.3.1 Implementation Possibilities: Make or Buy 


This section presents the pros and cons of buying or making a blockchain. For 
blockchains, “Instead of evaluating between ‘Make’ or ‘Buy’ like for the other 
entries, we chose to differentiate between using a ‘private’ or ‘public’ blockchain. 
This is because blockchains are a very complex technology, and nobody should 
*Make' their own, new blockchain (Table 25.1). 


25.3.2 Use Cases 


In this section, three use cases are presented (Table 25.2). 
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Table 25.2 Use cases 


Military Civil Society Economy 

Pros Cons Pros Cons Pros Cons 
Supply chain Decent- None Decent. |None Decent. |None 
for logistics}ralized ralized ralized 
and procure- and secure and secure and secure 
ment 
Detached Resilience Ecology  Resilience Ecology |Resilience |Ecology 
labels — and|and scal- and scal- and scal- 
proof of able able able 
ownership 
Self Durable |Anony- Durable |Anony- Durable |Anony- 
Sovereign and stable |misation and stable |misation  |and stable |misation 
Identity and  pri- and  pri- and  pri- 
Management vacy vacy vacy 


25.4 Conclusion 


One of the most exciting problems for the military to solve with blockchains is 
the supply chain management problem. For this task, a public blockchain spanning 
several armies plus their suppliers might reduce costs, increase security, and reduce 
delivery times [11]. In civil society, blockchains and cryptocurrencies will remain 
an investment/speculation vehicle for quite some time. However, there are no real 
advantages to using a blockchain for most applications proposed. Several parts of 
the economy, primarily banks and some parts of retail, can take advantage of current 
and future blockchains to reduce their business running costs. Nevertheless, the 
complexity of blockchain systems still has to be tamed before it makes economic 
sense [12]. 
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Chapter 26 A) 
Tunneling and VPN ers 


Weyde Lin 


26.1 Introduction 


Tunneling is a technique used to transport data packets over a network. The original 
data packets, with a protocol not supported by the host network, are encapsulated 
within another packet and then transported through the network. This technique is 
helpful for encrypted networks and can be used in virtual private networks (VPNs). 
Tunneling can be either full, where all network traffic is routed through the tunnel, 
or split, where only part of the network traffic is routed. The trend in tunneling is 
shifting from VPN access to a zero trust model, where the focus is on protecting 
data and ensuring privacy rather than remote access. 


26.2 Analysis 


26.2.1 Definition 


To transport data through a network, the data is divided into packets. In tunneling, 
packets from one network are sent via another network's connections. The packets 
are encapsulated within packets and then transported by the second network [1]. 
This means that data with a protocol not supported by a given network can be sent 
over that network. In tunneling, the original packet is encapsulated inside another 
packet (see Fig. 26.1). 

There are two types of tunnels: 
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Header Packet B 
(Destination and Protocol) 


Header Packet A 
(Destination and Protocol) 


Ini Packet B 


ll Packet A 


Payload A 


Payload B 


Fig. 26.1 Each packet has a header and a payload. The header lists the packet's destination and 
protocol. Packet A is encapsulated by Packet B and becomes its payload 


* In full tunneling all network traffic goes through the tunnel [2]. 

* In split tunneling, only part of the network traffic is routed through the tunnel. 
This allows the user or device to simultaneously access resources in different 
networks [3]. 


Tunneling is very useful in encrypted networks. To create an encrypted tunnel, 
a network packet, including the header, is completely encrypted and encapsulated 
as a payload inside another packet for transport across a network. The payload is 
decrypted at the destination, and the original packet is restored. 

While tunneling is often used in virtual private networks! (VPNs), VPN and 
tunneling are technically not the same, and there are VPNs without tunneling. E.g., 
the VPN implementation, IPsec supports transport modes where not the complete 
packets are encrypted and encapsulated. Instead, the packet retains its original 
packets header [5], and only the packet payload is encrypted. 


26.2.2 Trends 


The internet protocol version 6 (IPv6) is a replacement for IPv4 that, due to its 
limited number of available IP address space, will be phased out. However, as there 


' “A virtual network built on top of existing networks that can provide a secure communications 
mechanism for data and IP information transmitted between networks" [4]. 
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are still IPv4-only networks that do not support IPv6, the tunneling protocol 6in4 [6] 
allows sending IPv6 packets over an IPv4 network [7]. 

Another prominent use case of tunnels is VPNs. The global VPN market is 
expected to grow from US$ 44bn in 2022 to US$ 77.1bn in 2026 [8]. However, 
at the same time, there is also a shift from VPN access to a zero trust model (e.g., 
Zero Trust Network Access (ZTNA) and/or Zero Trust Architectures (ZTA)). For 
example, Google [9] and the US Government [10] both announced shifts from VPN 
solutions to a zero trust model (See Zero Trust factsheet), and a 2021 study found 
that 72% of all companies were adopting or planning to adopt zero trust [11]. 


26.3 Consequences for Switzerland 


There is no Swiss-specific need for tunneling, and the demand is expected to 
be similar to other industrial countries. The exception is VPN providers. Thanks 
to the strict Swiss laws regarding data protection and privacy, the two VPN 
providers VyprVPN and Proton VPN are located in Switzerland. Proton explicitly 
states: "Weil wir in der Schweiz angesiedelt sind, ist Proton VPN durch einige 
der strengsten Datenschutzgesetze der Welt geschützt und bleibt ausserhalb der 
Gerichtsbarkeit der USA und der EU.” [Because we are based in Switzerland, Proton 
VPN is protected by some of the strictest privacy laws in the world and remains 
outside the jurisdiction of the US and EU.] [12]. 


26.3.1 Implementation Possibilities: Make or Buy 


Most tunneling protocols are defined in Request for Comments (RFC) documents 
(see also below in 2.2 Variations and Recommendation for examples) and then 
implemented by network equipment or software vendors. For VPNs, the most com- 
mon closed-source solutions used globally [13] are Cisco VPN, Cisco AnyConnect, 
Juniper VPN, and Citrix Gateway. There are also two widespread open-source VPN 
solutions: 


e OpenVPN [14] is an open-source (GNU GPLv2) VPN system that uses the 
OpenSSL library to encrypt the data as well as the control channels. It was first 
released in 2001. The throughput over an OpenVPN tunnel is somewhat limited, 
but the software runs on any operating system and platform and makes it widely 
used. 

e WireGuard [15] is an open source (GNU GPLv2) VPN implementation to be easy 
to use and with improved performance compared to other VPN implementations 
and a low attack surface. 
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26.3.2 Variation and Recommendation 


There are many tunneling protocols in use today; a few are listed below: 


GRE Tunneling [16]: Generic Routing Encapsulation (GRE) is a protocol where 
packets are encapsulated inside other packets. It can connect separate networks 
and allows protocols on a network that does not support said protocols. 

IP-in-IP [17]: Here, IP packets are encapsulated inside other IP packets. There 
is no encryption, and the encapsulated packets remain unmodified. 

SSH tunneling [18]: SSH is typically used for the terminal access of a remote 
machine, but it can also be used to establish a secure tunnel between two 
computers. 

Point-to-Point Tunneling Protocol (PPTP) [19]: PPTP is an obsolete VPN 
Protocol that uses a GRE tunnel 

Secure Socket Tunneling Protocol (SSTP) [20]: SSTP is a replacement and 
improvement of PPTP, which encrypts the transfer with SSL/TLS. 

Layer 2 Tunneling Protocol (L2TP) [21]: L2TP is a tunnel protocol mainly 
used in VPNs. It provides a tunnel for Layer 2.? 

Virtual Extensible Local Area Network (VXLAN) [24]: VXLAN is a network 
virtualization technique that allows Layer 2 connection over a Layer 3 ? network. 
IPv6 in IPv4 Tunnel (or IPv4 in IPv6 Tunnel): In 6in4, IPv6 packets are 
encapsulated in IPv4 packets. This allows the transport of IPv6 packets over 
an IPv4 network. Vice versa is true for the opposite (4in6: IPv4 over an IPv6 
network [6]). 


26.4 Conclusion 


Tunneling is essential for the secure access of a remote resource as an integral part 
of most VPN implementations. Without such encrypted tunnels, the traffic to this 
remote resource would be unencrypted and potentially taped by a malicious third 
party. In addition, tunneling allows connection networks (e.g., VXLAN) or enables 
the use of communications protocol on unsupported networks (e.g., 6in4). 


? “Layer 2, also known as the Data Link Layer, is the second level in the seven-layer OSI [Open 
Systems Interconnection, see [22] reference model for network protocol design" [23]. 


? Layer 3 is the Network Layer and the third level in the seven-layer OSI reference model [25]. 
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Part IV 
Data Protection 


Chapter 27 A 
Differential Privacy ARA 


Valentin Mulder and Mathias Humbert 


27.1 Introduction 


Differential privacy is a technology that allows for sharing information about a 
dataset while ensuring the protection of individual privacy by adding noise to the 
results. This results in a constraint on the algorithms used to publish information 
about a statistical database, limiting the disclosure of private information. Dif- 
ferential privacy is becoming increasingly important as a tool for companies to 
collect information while controlling the visibility of sensitive data. The field is 
rapidly advancing with the development of accessible tools and the focus on the 
usability of open-source differential privacy systems. The technology could benefit 
Switzerland with the upcoming federal act on data protection, as companies such as 
Apple and Google have already utilized it to comply with privacy regulations. The 
implementation of differential privacy can either be done in-house or by purchasing 
tools. 


27.2 Analysis 


The literature on privacy protection abounds in various methods whose guarantees 
are not robust to the auxiliary information a strong adversary may have. Differential 
privacy provides new means to achieve generic and robust privacy guarantees that 
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do not depend on the adversary's auxiliary information. It has applications in 
myriads of settings: census, labor statistics, health records, security, genome-wide 
association studies, monitoring of education quality, analysis of business strategies, 
and so on [1]. 


27.2.1 Definition 


Differential privacy is a technology for sharing information about a dataset by 
describing the patterns of groups within the dataset while withholding information 
about individuals. This is mainly achieved by adding noise to the results. It will 
have the following effect: if the arbitrary single substitution in the database is 
small enough, then the query result cannot be used to infer much about any single 
individual. Differential privacy, therefore, provides formal privacy guarantees. 
Another way to describe differential privacy is as a constraint on the algorithms used 
to publish aggregate information about a statistical database. This limits the disclo- 
sure of private information of records whose information is in the database. For 
example, differentially private algorithms are used by some government agencies to 
publish demographic information or other statistical aggregates while ensuring the 
confidentiality of survey responses and by companies to collect information about 
user behavior while controlling what is visible even to internal analysts [2]. It is also 
important to note that adding noise to a data set may render it less valuable. 

Roughly speaking, an algorithm is differentially private if an observer seeing its 
output cannot tell if a particular individual's information was used in the algorithm's 
computation. Differential privacy is often discussed in identifying individuals whose 
information may be in a database. Although it does not directly refer to the 
identification and reidentification attacks, differentially private algorithms probably 
resist such attacks [3]. 


27.2.2 Trends 


In the cases of counting, summation, or average queries over a large, single table 
of data, DP is ready to be used effectively. However, some other settings still have 
problems. For example, one key drawback of differential privacy is that it often 
trades data accuracy for privacy. Typically, suppose the database size on which 
statistics are computed is too small. In that case, the amount of noise that needs to be 
added to the statistics is often too high to keep some statistical accuracy. Moreover, 
the DP guarantees decrease proportionally to the number of statistical queries made 
to the database. Similarly, implementations of queries on multiple tables, synthetic 
data generation, and deep learning exist, but they may only sometimes be accurate 
enough [4]. These drawbacks are due to the solid adversarial assumptions that are 
key to providing formal privacy guarantees against an adversary. 
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Progress on tools for differential privacy has accelerated rapidly in the past 
several years, and we look forward to the availability of accessible tools for these 
tasks shortly. Indeed, companies like Apple or Google already use differential to 
anonymize their customer data [5, 6]. This is completed by different open-source 
libraries, like the one from Google and IBM [7, 8]. 

The academic field also works on challenges like ensuring correctness and 
automatic proofs. Nevertheless, the solutions remain primarily theoretical. Finally, 
open-source differential privacy systems have recently started focusing on usability. 
The OpenDP [9] and diffprivlib [10] projects both provide notebook-based program- 
ming interfaces that will be familiar to many data scientists, as well as extensive 
documentation. Researchers are beginning to study the usability of systems like 
these, which will likely lead to further improvements [11]. 


27.3 Consequences for Switzerland 


The federal act on data protection should come into effect in September 2023 [12]. 
Differential privacy could be a great tool to help the government and large 
companies better comply with this new law. Big tech companies, like Apple, 
Google, Uber, and Facebook, have used different applications of this technology 
that could be a source of inspiration for Switzerland [13]. The primary example 
remains the United States Census which takes place every ten year [14]. 


27.3.1 Implementation Possibilities: Make or Buy 


See Table 27.1. 


27.4 Conclusion 


Organizations should consider differentially private approaches to increase data 
protection. While differential privacy is not a field that is widely commercially 
developed, it can provide beneficial results when properly applied. 

Differential privacy is a powerful tool for quantifying and solving practical 
problems related to privacy. Its flexible definition allows it to be applied in a 
wide range of applications, including machine learning applications [4, 15]. The 
technology is at its starting point. However, it holds the promise of benefiting big 
data analysis without compromising on privacy [16]. 
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Table 27.1 Implementation possibilities for different sectors 


Make Buy 
Pros Cons Pros Cons 
Military Full control'Error in imple-| Working solu-|Might contain 
over implemen-|mentation  and|tion accidental or 
tation lack of compat- purposeful 
ibility backdoors 
Civil Society |None Many resources|Easy adoption |Associated cost 
needed to im- and lack of tech- 
plement a func- nical knowledge 
tioning solution 
Economy In-house solu- Liability in|Easy imple- 
tion case of security mentation and 
holes no liability in 
case of security 
holes 
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Chapter 28 A) 
Digital Rights Management ers 


Sophia Ding 


28. Introduction 


Digital Rights Management (DRM) systems have been used for decades to protect 
companies' intellectual property and ensure the trusted exchange of digital informa- 
tion over the internet. DRM systems serve multiple functions, such as access control, 
usage control, billing, and the pursuit of legal infringements. These functions are 
achieved through various technologies, such as encryption, digital signatures, digital 
watermarks, secure authentication, rights expression languages, and product keys. 
The section provides a comprehensive overview of the various DRM functions and 
technologies, making it an essential resource for anyone interested in understanding 
the workings of DRM systems. 


28.2 Analysis 


Digital Rights Management has been around for decades. However, traditional 
systems were designed for something other than the highly interconnected world 
where content such as music, movies, and eBooks are just a click away. In addition, 
new technologies such as blockchain have the potential to revolutionize the DRM 
system. As a result, the importance of DRM is decreasing in some industries, but it 
remains an essential part of modern business models in the streaming economy. 
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28.2.1 Definition 


Essentially, Digital Rights Management refers to "trusted exchange of digital 
information over the Internet in which the user is granted only those privileges 
granted by the document sender" [1]. A Digital Rights Management system is 
designed to protect companies' intellectual property, i.e., their intellectual creations 
and the underlying business models. The first DRMs were used in the 1980s 
as copy protection for pay television. In recent decades, and the aftermath of 
the digitalization era, use cases in the music and gaming industries have been 
identified [2]. 
DRM systems protect a copyright holder's interests in the following ways: 


* Access control (AC): Using DRM, only authenticated and identified users can 
access legal content. It is possible, for example, that the content is encrypted and 
that only authorized users are permitted access [3]. In addition, it is possible 
to restrict access to content based on specific criteria. For example, content 
is available only to individuals within a particular geographical area (regional 
lockout) [4]. 

* Usage control (UC): It is determined by DRM systems how much users can 
consume. Depending on the user group and the type of subscription, this might 
vary [2]. In addition, it is possible to apply other types of restrictions, such as 
activation limits, which limit the number of devices on which content can be 
installed and consumed [3]. 

* Billing (BI): Various billing models can be implemented within DRM systems 
[2]. 

* Pursuit of legal infringements (LI): The use of DRM systems allows the ex-post 
verification of the authenticity and integrity of the content. Watermarks and tags 
may indicate that a piece of content is protected by a copyright. Copy protection 
is an everyday use case for this function [5]. 


Each of the above functions relies on a different technology. Table 28.1 provides 
examples. 

In recent years, DRM systems have been controversial due to privacy concerns, 
their potential negative impact on open-source software, and their incompatibility 
with fair use principles [3]. It is based on the belief that the public is entitled to 
freely and impartially access portions of copyrighted materials to comment and 
critique [9]. 


28.2.2 Trends 


It is important to note that the importance of DRM varies across industries: although 
it is diminishing the traditional music industry. Numerous business models for 
streaming platforms and eBook providers are based on their role [2]. Key DRM 
trends in the coming years are listed in Table 28.2. 
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Table 28.1 Technologies on which different digital rights management functions rely 


Description AC UCIBI |LI 
Encryption  |Encrypted information is used to|++ |++ + [2,5] 
protect the confidentiality of infor- 
mation from unauthorized access. 
Digital Signa-|Authenticates documents using the ++ |[2, 5] 
ture creator’s private key, which repre- 
sents a digital fingerprint. See also 
Digital Signature (see Chapter 15). 
Digital Water-|Ensures the authenticity and in-|+ |+ ++ |[2, 5, 
mark tegrity of a digital work by contain- 6] 
ing hidden steganographic meta- 
information within the digital work, 
which allows a unique identification 


of the work 
Secure Au-|In light of trends such as_the]++ ++ [2; 5, 
thentication Internet of Things and wearable 7] 


devices, biometric authentication 
is becoming increasingly relevant. 
The term refers to identifying indi- 
viduals based on their physical char- 
acteristics or behavior. A smartcard 
can authenticate all parties within a 
DRM environment and is an alter- 
native to encryption-based authen- 
tication. See also Biometrics (see 
Chapter 22) and Authentication (see 
Chapter 29). 

Rights Expres-|Representation of the licensing con-|++ |++ |++ [2] 

sion Language |ditions in a machine-readable for- 
mat to limit access to the content. 

Product Keys |Used to prevent the unauthorized ac-|++ |++ + [8] 
cess of a particular copy of the soft- 
ware. 


166 


Table 28.2 Key digital rights management trends 


Trend Cate- 
gory 


Trend 


Description 


S. Ding 


Use Cases 


Online edu- 
cation plat- 
forms 


Online education platforms (e.g., Coursera) are be- 
coming increasingly popular. They pose several 
challenges in DRM, such as the infringement of 
the course's copyright and the verification of on- 
line certificates. Recently, blockchain-based DRM 
solutions have been suggested for this application. 


[10] 


Music 
streaming 
platforms 


Music streaming platforms (such as Spotify) with 
millions of users have created new challenges for 
digital rights management since DRM was cre- 
ated when streaming was not an option. A chain 
of contracts is generated whenever a user streams 
a song, and rights are transferred. Consequently, 
streaming platforms have begun experimenting 
with blockchain technology to eliminate the "mid- 
dleman" and simplify the transaction process. 


[11] 


Technical 
Develop- 
ment 


Risks 


DRM 
based on 
blockchain 


The traditional DRM systems pose several chal- 
lenges, which new digital business models, such as 
streaming platforms, exacerbate. These include 1) 
the centralization of protected information, which 
makes it more susceptible to cyberattacks, and 2) 
the opaque nature of copyright and transaction in- 
formation, negatively impacting the user experi- 
ence. On the other hand, blockchain technology, 
especially non-fungible tokens (NFT), is a decen- 
tralized, secure, and reliable technology that can 
be maintained collectively. Therefore, it offers an 
interesting alternative to existing DRM systems. 


[11, 
12, 
13, 
14, 
15] 


DRM based 
on biomet- 
rics 


Chip Short- 
age 


The Internet of Things (IoT), for example, has cre- 
ated numerous possibilities for accessing content 
from mobile devices. DRM systems that utilize 
biometrics provide a good user experience. How- 
ever, biometric-based authentication schemes are 
susceptible to device theft. These risks may be ad- 
dressed by authentication protocols that use several 
factors, including biometrics 

Several DRM systems make use of computer chips 
as watermarks: In 2022, Canon, the manufacturer 
of printers and copy machines, was forced to dis- 
able its DRM system for office printers due to a 
shortage of the chips required to ensure that only 
original Canon toner cartridges are inserted into 
Canon products. As a result of the semiconductor 
crisis and its impacts on global value chains, DRM 
systems have also been adversely affected. 


[16, 
17] 


[18] 
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28.3 Consequences for Switzerland 


The World Intellectual Property Organization (WIPO) published two Internet 
treaties in 1996 ( [19, 20]), which govern copyright issues, such as those related to 
music records. As a result of these treaties, intellectual property is legally protected, 
and those who infringe on this property are sanctioned. In 2008, Switzerland ratified 
these treaties by amending its federal copyright law (Copyright Act, CopA) [21, 22]. 
Following the Copyright Act, users are prohibited from circumventing DRM unless 
there are legal requirements, such as prosecution. In addition, a Swiss Monitoring 
Office for Technological Measures (OTM) was established after the revision of the 
Copyright Act to continuously evaluate the impacts of technological measures on 
the consumption of copyrighted content. 

Several Swiss research groups work on DRM, ranging from consumer accep- 
tance of protected digital content to blockchain technology and collective rights 
management [23, 24]. ETH Zurich's Intellectual Property Group (Bechtold), part of 
the Center for Law & Economics, focuses specifically on DRM [25]. A project on 
innovative rights and access management inter-platform was also co-funded by the 
federal government in the past [26]. Sharedien (Wallisellen, ZH) offers cloud-based 
DRM services in the private sector. 


28.3.1 Implementation Possibilities: Make or Buy 


As far back as the 1980s, the first commercial DRM software was known as 
DigiBox. It had its origins in library software. Xerox and IBM were among the 
first large commercial providers of DRM [27]. Intending to create a royalty-free 
DRM standard in 2005, Sun Microsystems launched an open-source project (DRM 
everywhere/available). Unfortunately, the project was discontinued in 2008 due to 
inactivity [28]. 


28.3.2 Variation and Recommendation 


Concepts related to DRM include: 


* Digital Asset Management (DAM): A DAM is a system used by organizations 
to manage (e.g., store, retrieve, organize, or share) content in an asset library. 
Therefore, DAM is a component of DRM. To avoid legal penalties, DRM utilizes 
technical means to ensure that a company does not infringe copyright when using 
content from its asset library [2, 29]. 

* Enterprise DRM (EDRM): As a pillar of data-oriented security and an integral 
part of security concepts, EDRM is becoming increasingly important. As with 
DRM systems, EDRM systems offer various functionalities, including access 
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control and identity management. Access rights to data are defined by EDRM 
systems independent of the application, device, or access point used by the user 
or users. Users must authenticate themselves in order to access restricted content. 
A typical use case would be to protect highly confidential documents and emails 
being exchanged between several parties to which several parties have access. 
The rights of access to data can expire or be revoked by the owner of the data [30]. 


28.4 Conclusion 


Although DRM systems have been widely used to protect the copyright of mul- 
timedia content, organizations also use DRM systems for security purposes. In 
an increasingly interconnected world, DRM systems will become increasingly 
important overall, but they will lose their influence in specific industries, such as 
the traditional music industry. 
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Chapter 29 A) 
Authentication EEN 


Belinda Müller 


29.1 Introduction 


The purpose of authentication is to verify the identity of an entity. The number of 
factors required to authenticate an entity determines the type of authentication— 
single-factor, two-factor, or multi-factor. The section delves into the trends and 
advancements in the field of authentication, with a focus on security and usability. 
The section covers topics such as the current state of password security, the 
emergence of passwordless authentication, and the future potential of biometric 
authentication. The section also discusses current authentication trends, including 
adaptive and continuous authentication. 


29.) Analysis 


29.2.1 Definition 


An authentication process is a process of verifying an entity's identity based on 
one or multiple factors [1]. A factor can be something the entity is (e.g., device 
fingerprinting for devices or biometrics such as a retina, face, or behavior for a 
person), possesses (e.g., a token or a bank or ID card), or knows (e.g., a password 
or algorithm) [2]. Sometimes a location factor is listed as a fourth category [3]: 
Location and/or time of the entity's login, e.g. GPS coordinates, IP address, or 
cellular triangulation. An entity may be, for instance, a computer or smartphone 
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or a user using such a device. Depending on the number of credentials (or factors) 
required, the authentication process is referred to as single-factor authentication 
(SFA), two-factor authentication (2FA), or multifactor authentication (MFA). Note 
that MFA includes two-factor authentication. Behavior can also be a factor in 
behavior-based authentication and continuous authentication systems. 


29.2.2 Trends 


Security Factors 

Password security has inherent weaknesses [4], particularly sensitivity to social 
engineering (for example, phishing) and dictionary attacks. However, passwords 
remain the most popular authentication method worldwide, according to an Okta 
Inc. study conducted in 2021 [5]. According to this study, 5% of organizations 
worldwide use passwords as their primary security measure. Moreover, the pass- 
word management market revenue is expected to increase from 1.25 billion U.S. 
dollars in 2020 to 3.07 billion U.S. dollars by 2025 [6]. 

Although the knowledge factor is still omnipresent, the opposite trend of 
passwordless authentication is emerging. Passwordless authentication eliminates 
the knowledge factor and relies on more substantial security factors such as 
ownership and biometrics. In 2020, the worldwide market revenue for passwordless 
authentication was approximately 10.3 billion U.S. dollars and was expected to 
reach 25.2 billion U.S. dollars by 2025 [7]. However, biometrics is often just an 
add-on for better usability, especially in the mobile domain. For example, Android 
and iPhones still rely on a pin or strong password in the background. A promising 
approach to passwordless authentication is the authentication standard FIDO2, 
which was developed by the FIDO alliance, an open industry association. FIDO2 
is based on public key cryptography, stores credentials on a user's device, and uses 
unique credentials for every website [8]. This makes it not only resistant to replay 
attacks and password theft but also against some phishing attacks [8], to which other 
forms of MFA are still susceptible. However, this does not prevent online-phishing 
attacks where the attacker is the proxy to the actual service. 

With the surge of wearables and other IoT devices, biometric factors in the 
future as wearables could be the only workable solution. This might be problematic 
because these new devices will need a strong password. By 2027, the worldwide 
biometric authentication and identification market is expected to reach almost 100 
billion U.S. dollars, up from 33 billion U.S. dollars in 2019 [9]. The significant 
barriers to large-scale use of passwordless authentication are considered to be legacy 
systems and applications: 61% of IT staff and 58% of IT security leaders worldwide 
in 2022 reported that legacy systems and applications did not support the technology 
as one of the main barriers to using passwordless [10]. 
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Authentication Approaches 
Current trends attempt to enhance security and usability. These include: 


* Adaptive authentication [11]: The authentication procedure in adaptive or risk- 
based authentication is determined by an entity's context. Contextual factors, 
such as a device's location or the data sensitivity a user requests, are considered 
during authentication. Following this, an authentication risk score is calculated, 
often utilizing machine-learning techniques. This risk score determines how 
many security measures are required. We are staying on top of security by 
using adaptive authentication when increasing usability. This approach was 
recommended in the NIST Digital Identity Guidelines from 2017 [12]. 

* Continuous authentication [3]: During continuous or active authentication, the 
identity of an entity is recurrently verified based on patterns derived from contin- 
uous monitoring of the entity. This is achieved primarily by using behavioral 
or biometric factors such as keystroke patterns, mouse movements, or gait 
patterns (see also Real-time Biometric Authentication in Chap. 22). With this 
approach, impersonation attacks can be prevented more effectively than static 
authentication: the perpetrator must continuously mimic the entity's behavior. 
Otherwise, they would be blocked when an untypical behavior is detected [13]. 
However, the continuous collection of biometric and behavioral data has raised 
concerns regarding privacy, which must be addressed. 

* Authentication technology for the approval of sensitive user actions: Authen- 
tication technology is commonly used to approve financial transactions: the 
transaction details are sent to the payer via an independent channel to be 
confirmed via a security factor, for example, via 3D Secure (see Chap. 32.1 for 
details). This can help secure transactions against the compromise of operating 
systems or browsers through malware. However, using authentication technology 
to approve sensitive user actions is not limited to financial transactions but can 
also be implemented, for example, for changing one's online account details. 


29.3 Consequences for Switzerland 


According to a study conducted by ESET in 2022, most Swiss smartphone users 
use a PIN to access their smartphones [14], and Swiss people need to manage their 
passwords better. In the study, 12% of the participants used identical passwords 
for multiple accounts, but only 5.896 did so in Germany [15]. According to the 
study, 1496 of Swiss participants always use 2FA for online services, which is 
in line with the recommendation by the Swiss National Cyber Security Centre to 
use MFA whenever possible [16]. In Germany, however, 27.8% reported always 
using two-factor authentication. This is still significantly less. Regarding biometric 
authentication, there seems to be a general interest and openness to this technology 
among the Swiss people: As of 2019, 8596 of Swiss citizens indicated that 
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fingerprint authentication was the most secure method for making credit card 
payments [17]. 

Also, authentication is generally well represented in research in Switzerland, e.g., 
at the Idiap Research Institute ([18], biometric authentication), IBM Zurich ([19] 
password cryptography). Also, this research has been successfully transferred, lead- 
ing to spin-offs like Token2 Sàrl (University of Geneva) and Futurae Technologies 
AG (ETH Zurich). 


29.3.1 Implementation Possibilities: Make or Buy 


In choosing a particular authentication solution for organizations, it is crucial to bal- 
ance security, usability, cost, and privacy considerations. The authentication solution 
for a particular service can be predetermined for the private individual, although 
stronger authentication can be enabled if desired. It can also increase security by 
purchasing additional solutions, such as a password manager or hardware security 
keys. The following are some considerations for the different security factors: 


* Knowledge factor: Passwords are still prevalent, so it is essential to maintain 
a secure password management system. A variety of commercial password 
managers can assist in breaking habits like reusing passwords or writing them 
down. There are also free options, such as open-source password managers, and 
numerous options integrated into many browsers and smartphones. According 
to Grauer and Klosowski [20] 1Password [21] is the best password manager, 
whereas Bitwarden [22] is the best free solution. 

* Ownership factor: There is an abundance of authenticator applications to choose 
from, including Authy [23], the Microsoft Authenticator [24], or Duo [25]. The 
Yubico Security Key series [26] and the Google Titan Security Key [27] can 
also be purchased as hardware tokens. It is essential to consider whether such 
devices meet industry standards such as FIDO2 and whether they are compatible 
with future trends such as passwordless authentication. In addition to hardware 
tokens, Swiss providers offer software tokens, including Swiss SafeLab, Token2 
Sàrl, or Futurae Technologies AG. 

* Biometric factor: The sourcing of biometric authentication solutions can be 
challenging due to the highly specialized technology required. Furthermore, 
privacy regulations and data protection regulations need to be considered. One 
option to address privacy for biometric authentication is to store biometric data 
only on a user's device instead of remotely on servers. For more privacy and 
information about commercial and open-source solutions, please see Chap. 22. 
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29.4 Conclusion 


Though knowledge-based authentication has been known to have shortcomings, it 
remains the most popular method for entity authentication. The shortcomings are 
currently addressed through sophisticated password management and multifactor 
authentication. Nevertheless, concurrently with the increase in IoT devices and 
advances in machine learning, there is a trend towards passwordless authentication 
utilizing biometrics and new authentication approaches such as continuous and 
adaptive authentication. While these trends suggest a more secure and user-friendly 
authentication process, they may also introduce new privacy concerns that must be 
addressed in the future. 
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Part V 
Use-Cases 


Chapter 30 A 
Secure Media EEN 


Touradj Ebrahimi 


30.1 Introduction 


Technological advancements make it easy to capture, process and distribute mul- 
timedia content such as sound, picture, and video. This has been made possible 
through the widespread use of mobile multimedia devices, access to cloud com- 
puting infrastructure, broadband communication, and social networks. However, 
this paradigm also brings new security challenges, particularly in media security. 
Media security is a subset of information security and is concerned with protecting 
the semantic information behind multimedia assets, such as images, instead of just 
representing the information. Media security problems can be divided into two main 
clusters: creator-centric and content-centric. The former is about problems related 
to the content creator, such as copyright protection and source authentication. The 
latter concerns the content, such as conditional access and integrity verification. 
Media security solutions include labeling, monitoring, fingerprinting, forensics, and 
watermarking. 


30.2 Analysis 


With advances in information and communication technologies, it is now easy to 
capture, process (including manipulate), and widely distribute content seamlessly. 
The past practices where the content was produced by just a few professionals (e.g. 
press and media outlets) and distributed through a limited number of channels (e.g. 
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Radio and TV) have been replaced by social media or user-generated content where 
not only professionals but also consumers can now generate content of all sorts in 
the form of sound, picture and video and to distribute them widely. 

This change has been, in particular, triggered by the wide adoption of mobile 
multimedia (e.g. smartphones with high-performance cameras and microphones, 
powerful processors, and wideband networks), a growing number of Internet of 
Multimedia Things (e.g. security cameras, smart glasses, wearable cameras), access 
to affordable cloud computing infrastructure (e.g. ample capacity storage and 
processing power and associated software), broadband communication (e.g. high- 
speed Internet and 5G), social networks (e.g. Instagram, Snapchat, and TikTok) and 
computational imaging and computer vision based on artificial intelligence. 

This new paradigm brings considerable advantages and challenges, particularly 
regarding security. 

Media security is a subset of information security where the information exhibits 
several specificities, among which the most important are: 


* The information in media has a perceptual dimension, in the sense that it is 
destined to be perceived either by humans (in a large majority of cases today) 
or analyzed by machines (a growing trend). 

* The information in media exhibits a particular underlying structure that can be 
leveraged both to secure and attack them. 

* Theinformation in media often represents high-value assets either from monetary 
(e.g. music and movies) or affective (photos of essential persons or events) 
viewpoints. 


Many tools and solutions developed in generic information security can be 
directly applied to media. For example, one could digitally sign (see Chap. 15) 
an image to enable viewers to check its authenticity. This is of limited use to 
secure media because media security is about protecting information, not a specific 
representation of it. Consequently, to protect the integrity of information in an 
image, one would need a technology that is indifferent to converting the image to a 
different format or slight change to its resolution. It should also be able to cope with 
image artifacts caused by such conversions, such as compression artifacts. 

One of the significant differences and the main objective of media security is 
to protect the semantic information representing assets in multimedia as opposed 
to the protection of the specific representation of such content. For example, when 
protecting the integrity of a picture in JPEG format, a good media security solution 
will not merely protect the integrity of the bits that represent that picture in that 
format but the semantic content behind those bits. This can be done in such a way 
that the integrity would still be protected if those bits change (for example, in the 
picture is converted to PNG format) without changing the content behind the bits 
(as far as the content of the picture has not changed and it is perceived the same). 

In addition, several security concepts, such as integrity protection, are different 
in the context of media than in generic information. Others, such as watermarking, 
have no direct counterparts. 
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Fig. 30.1 Media security problems and related solutions 


Media security problems can be divided into two main clusters, creator-centric 
and content-centric. The first one is about the problems generated by the content 
creator. These also can be divided into two categories: copyright protection, ensur- 
ing that the creator has the rights related to the content, and source authentication, 
which ensures that the content is related to its creator. The second cluster is about the 
content itself. It also can be divided into two categories: conditional access, which 
can be linked to digital right management (see Chap. 28), and integrity verification 
which is about verifying that the content has not been modified (Fig. 30.1). 


30.2.1 Definition 


Labeling [1]: Annotation of multimedia content by taking advantage of its metadata 
insertion mechanism by providing information about the condition of use and 
ownership. The label can be put in a pre-defined location in the file format and 
accessed or in the form of a visible mark, logo, or label, mainly when the content is 
of visual form. 

Monitoring [2]: Tracing the ownership changes of a digital asset (content) by 
keeping a record of it in a ledger (e.g. in a blockchain). 

Fingerprinting [3]: Inclusion of information about interactions between users and 
content into a media asset. 

Forensics [4]: General terminology refers to all analytical techniques to detect if 
a digital asset has been tampered with or is coming from the claimed source. 

Watermarking [5]: Insertion of imperceptible information (e.g. an identifier) 
through a secret code within a digital asset. 
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Encryption [6]: An algorithm to convert a piece of clear information into a cipher 
text and vice versa through a secret key. 

Hashing [7]: An algorithm that cryptographically maps a digital asset into a pre- 
defined number of bits in a hard-to-reverse manner to create a unique fingerprint of 
the content that will be changed with the slightest modifications. A perceptual hash 
is an algorithm like a cryptographic hash, but the signature is modified only when 
the semantic content of the digital asset is modified. 

Data hiding [8]: Refers to all techniques which aim at obfuscating the existence 
of a covert message. Often the hidden message is represented in a container of 
the same or other modality of information as opposed to the modality of the 
message itself. Information hiding techniques such as steganography extensively 
use multimedia content for data hiding. 

Provenance [9]: Refers to algorithms and procedures that produce a log of the 
history of a digital asset from creation to the moment it is being accessed or 
consumed. 

Scrambling [10]: Refers to algorithms similar to encryption but targeted to media 
assets and preserve the nature of the content after they have been applied (e.g. a 
scrambled JPEG image will remain a JPEG image and can be displayed as such). 
The degree of modification in scrambling can often be set to make the content more 
or less intelligible. For example, scrambling could be applied to a specific portion 
of the media asset. 

Deepfake detection [11]: Generally, it refers to digital assets in the form of audio, 
image, or video (often containing people) where artificial intelligence techniques are 
used to change the content. Shallowfakes and cheapfakes are variations of the latter 
where either the techniques could be more efficient or when they are not based 
on artificial intelligence. However, the objective of the manipulation is the same. 
Artificial intelligence can also be used to detect such manipulations through training 
with examples. However, these techniques only work on transformed digital assets 
rather than the ones generated from scratch. 


30.2.2 Trends 


With the growing reliance on multimedia content in the daily lives of citizens, both 
professionally and in their private lives, media security is becoming an essential 
technology to include in many applications. The following presents some of the 
immediate challenges and trends: 


* Privacy protection in pictures and video, particularly for video surveillance and 
social networks and especially in the context of GDPR [12]. 

e Countermeasures to fight the growing use of deepfakes to spread misinformation. 

* Media security standardization to create interoperable, secure ecosystems, par- 
ticularly those developed by International Standardization Organizations such as 
JPEG [13]. 


30 Secure Media 183 
30.3 Consequences for Switzerland 


Historically, Switzerland has been considered a country of stability, trust, and 
security. Several standard-setting organizations dealing with information and com- 
munication technologies, including those defining security mechanisms, are also 
based in Switzerland, and it is easier for Swiss actors in media security to play an 
essential role in the definition of media security standards that will be the backbone 
of information and communication technologies in the new world order. Further- 
more, like any other country, Switzerland is also vulnerable to misinformation which 
can result in unrest and instability and hurt its so-far impeccable image. 


30.3.1 Implementation Possibilities: Make or Buy 


It is only possible to decide abstractly and by knowing the precise application and 
context, if media security tools should be made, tailored, or bought from third 
parties. However, some guidelines can provide help to find the answer on a case- 
by-case basis: 


* Proprietary and closed solutions in media security should be avoided. In a 
security context, it has been demonstrated multiple times that security tools and 
systems whose specifications are kept secret are weaker and more vulnerable to 
attacks when compared to open and publicly accessible specifications [14]. 

* Media security tools and solutions based on international standards where 
multiple suppliers can be identified as providers of tools and solutions are mainly 
preferable. 

* In mission-sensitive contexts, including in applications relevant to national 
security, design, and validation, in particular, the security analysis of tools and 
solutions should be performed internally and externally by relying on trusted 
third parties. 


30.3.2 Variations and Recommendation 


Media security is no longer a niche; many applications need media security tools and 
solutions in addition to more general security tools and solutions such as symmetric 
or asymmetric encryption. Therefore, Switzerland needs to strengthen its skills and 
know-how in media security through initiatives to encourage education and public- 
private collaborations. In most cases, media security tools and solutions can result 
in successful business opportunities for those involved. 
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30.4 Conclusion 


Media security refers to a large spectrum of tools and solutions that often need to 
be sufficiently and optimally addressed through generic information security tools 
and solutions. At the same time, media security tools and solutions are increasingly 
essential elements in many professional and private applications that have become 
multimedia-rich. Breach of security in applications where multimedia information 
is used can have devastating and irreversible consequences. This can go from impact 
on the privacy of citizens to manipulation of public opinion through misinformation, 
which is particularly dangerous in the Swiss context where direct democracy is 
a foundational principle, requiring well-informed citizens who need to depend 
on reliable information. Because of these reasons, media security must have a 
prominent position in the Swiss strategy in cybersecurity in the years to come. 
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Chapter 31 A) 
Secure Positioning and Localization PE 


Martin Strohmeier 


31.1 Introduction 


Secure positioning and localization refer to the use of technology to accurately 
determine the location of an object or person in a secure and trustworthy manner. 
It involves GPS, Bluetooth, Wi-Fi, and other wireless technologies to determine 
location. The goal is to ensure the privacy and security of users while providing 
accurate location information. 


31.2 Analysis 


31.2.1 Definition 


Localization and broadcast positioning techniques (e.g., Global Navigation Satellite 
Systems or GNSS) are crucial to many applications in the military, business, and 
society. However, the analysis of their security over the past two decades has shown 
that an attacker who controls the signals at the antenna of a receiver can spoof the 
positioning results. Several methods have been proposed to address this problem by 
securing the content of the signals cryptographically. Distance bounding [1, 2] and 
TESLA (Timed Efficient Stream Loss-Tolerant Authentication) [3] are two leading 
examples. 

Distance bounding helps to enable secure positioning systems. It allows so- 
called verifiers to bound the distance of a prover node. As a concrete use case, 
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one can thus prove that a car key is not further than a certain distance away 
from the car it wants to open. Additionally, the prover node can use distance 
bounding to determine its correct position even under spoofing/wireless interference 
by an attacker. Furthermore, distance bounding can also enable secure position 
verification where a verifier verifies the position claim of an (untrusted) prover 
node [4]. 

The TESLA protocol and its derivatives/further developments enable the crypto- 
graphic authentication of broadcast communication such as those used in GNSS. It 
uses symmetric cryptography in connection with time as its asymmetric property to 
enable the receiver of the GNSS messages to verify the authenticity of the navigation 
content. 

Finally, these methods compete with and complement many non-cryptographic 
methods using physical properties (think classical radar) to verify location claims 
and positions. An overview is given in [4]. 


31.2.2 Trends 


The general expectation is that known secure solutions for navigation, positioning, 
and localization systems will mature and be deployed more widely. This will 
affect many important sectors in the industry, the government, and the military. For 
example, the GNSS market alone is growing steadily over the next decade, reaching 
cumulative revenues of €3860 bn [5]. Furthermore, with autonomous vehicles 
becoming increasingly essential and utilized in all domains (land, water, air), secure 
and robust positioning and navigation capabilities will be crucial. Nevertheless, 
many other growth segments will rely on secure navigation systems besides 
traditional navigation-dependent sectors such as shipping, aviation, cars, and rail. 
These include, but are not limited to, industrial automation, agriculture, climate 
services, infrastructure, insurance and finance, space, and urban development. 

Actors developing and integrating such solutions range from startups and 
university spinouts such as 3db [6] to the major defense contractors and suppliers 
in the GNSS market (e.g., Garmin, car manufacturers, and tech companies such as 
Alphabet). We also expect disruption through the new Low Earth Orbit (LEO) mega- 
constellations such as Starlink and OneWeb, which could be used for navigation [7]. 
Last but not least, the major global powers behind the GNSS systems will be pushing 
for secure and robust solutions, exemplified by the recent addition of TESLA to 
Galileo, the European GNSS. [8]. 


31.3 Consequences for Switzerland 


In terms of knowledge and research, Switzerland is well-placed with some of the 
significant academic research on secure positioning coming from Swiss universities 
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and/or conducted by Swiss academics. However, without its space missions and 
satellite constellation, Switzerland depends on the major global powers and their 
GNSS constellations, particularly GPS (US) and Galileo (Europe). 

For smaller products such as keyless entry systems, the current startup ecosystem 
can provide the expertise for secure positioning solutions and their integration into 
consumer products and other dependent systems. 


31.3.1 Implementation Possibilities: Make or Buy 


This section presents the pros and cons of buying or making secure localization 
products (Table 31.1). 


Table 31.1 Implementation possibilities for different sectors 


Make Buy 
Pros Cons Pros Cons 
Military Strategic — and/Cost (in partic-|Only practical] Dependence on 
operational ular GNSS) and|approach for|foreign actors 
independence Interoperability large-scale and Additional 
GNSS projects |redundant, 
independent 
technologies 
needed 
Civil Society |Cheap for con-|Cost(inparticu-|Only practical Dependence on 
sumer tech (e.g. lar GNSS) approach for|foreign actors 
car keys) and large-scale and Additional 
Expertise can GNSS projects redundant, 
be utilized in and . Cheaper, independent 
many areas faster in  the|technologies 
short term, [needed 
increasing se- 
curity quickly 
Economy Cheap for|Cost (in partic-|Only practical/Dependence on 
consumer tech|ular GNSS) and|approach  for/foreign actors 
(e.g. car keys) Interoperability large-scale and Additional 
and Expertise GNSS projects redundant, 
can be utilized and Cheaper, independent 
in many areas, faster in  the|technologies 
business oppor- short term, needed 
tunities increasing se- 
curity quickly 
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31.3.2 Variations and Recommendation 


We discuss three different options for secure localization. The differences between 
actors are relatively minor, particularly since control of crucial space-based global 
positioning and navigation technologies remains viable only for a handful of major 
state and supranational actors. The first option is the Timed Efficient Stream Loss- 
tolerant Authentication (TESLA) broadcast authentication protocol [3]. It has the 
advantage of being a practical option that can be fitted retroactively to GNSS. 
Nevertheless, on the other hand, it is costly and needs systemic changes. The second 
option is Distance Bounding [1, 2]. It has two main advantages for the military: 
flexible technology and proven applications. For civil society and the economy, it 
is available in consumer technology. On the other hand, it has the disadvantage of 
being primarily applicable for short distances. The last option is non-cryptographic 
solutions. The military they have the advantage (Table 31.2). 


Table 31.2 Different options for secure localization 


Military Civil Society Economy 
Pros Cons Pros Cons Pros Cons 
TESLA [3] |Practical |Costly Practical |Costly Practical |Costly 
option systemic joption systemic |option systemic 
that can changes that  can|changes that | can changes 
be fitted required |be fitted irequired. |be —fitted|required 
retroac- retroac- retroac- 
tively to tively to tively to 
GNSS GNSS GNSS 
Distance Flexible |Technol- Available |Technol- |Available |Technol- 
Bound- technol- ogy  pri-in con-|ogy  pri-n | con-oogy pri- 
ing [1, 2] ogy „marily sumer marily sumer marily 
proven ap-|for short/technol- |for short|technol- {for short 
plications |distances |ogy distances |ogy distances 
Non- Security |No cryp-'Can be Potentially|Can  be/Potentially 
cryptogra-  |can be|tographic |imple- high cost|imple- high cost 
phic  solu- scaled guaran- |mented |to utility; mented — to utility 
tions with — ad- tees flexibly {ratio flexibly — ratio 
ditional and indi- and indi- 
expendi- vidually vidually 
ture without without 
systemic systemic 
change changes 
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31.4 Conclusion 


Secure positioning and localization is a comparatively small but essential part of 
the world of cryptographic applications. The integration of positioning in many 
embedded systems and using such methods in critical infrastructure and navigation 
systems make their security paramount. As of today, certainly in the civilian 
world, barely any secure localization methods are being employed. This is already 
changing in higher-end assets, where we see distance bounding used e.g. for keyless 
entry systems for expensive cars. We expect this will trickle down with falling costs 
and increased adoption. 

Cryptographically-secure GNSS is available for the owners/operators of the 
different satellite constellations (e.g. the military version of GPS) and is trickling 
towards some of the civilian versions, as seen with Galileo. While technical 
developments in space can be slow and happen only over the long term, new 
consumer-oriented LEO constellations may change the pace significantly over the 
next few years. 

Out of the scope of this analysis on cryptographic developments is the progress 
in non-cryptographic secure localization methods. Here, a quicker but more frag- 
mented rollout can be expected in some critical areas as they can often be 
deployed independently and transparently. This is already the case in many military 
applications and may be seen in other vital assets. 
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Chapter 32 A) 
Secure Payment PE 


Sophia Ding 


32.1 Introduction 


The shift towards a digital economy has led to an increase in electronic payment 
methods, from credit cards to online and mobile contactless payments. Secure 
payment is crucial in verifying and protecting transactions and customers. Despite 
implementing security measures such as data encryption and strong customer 
authentication, online fraud continues to be a concern in the industry. Standards 
such as the EMV Integrated Circuit Card Specification, Payment Card Industry Data 
Security Standard, and Revised Payment Services Directive regulate the payment 
services and providers, mandating various security measures to be in place. 


32.2 Analysis 


Secure payment is an essential element of digital commerce in a world where 
cash is becoming redundant, credit cards are becoming less and less important, 
and mobile devices are becoming means of payment. Secure payment relies on 
the verification of transactions and customers that make payments. However, this 
process has become increasingly challenging. It has been reported that false declines 
of transactions are increasing as a result of suspected fraudulent activities [1]. 
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32.2.1 Definition 


Secure payment refers to a variety of payment methods - typically in relation 
to electronic payments. Therefore, it must be considered through the lens of a 
variety of payment methods: Credit cards have been around since the 1950s, but 
the introduction of chip technology and contactless payment raises new challenges 
for the security of payments [2]. Online payments were reported to have been 
conducted for the first time in the 1990s [3]. There has been an increase in the 
crime of online fraud since then [4]. Since the advent of smartphones in the 2000s, 
mobile (contactless) payment systems have become increasingly popular [5, 6]. 
Additionally, voice payments using voice assistants are becoming increasingly 
popular [7]. 

As a means of combating online fraud, banks and fintech companies have 
implemented techniques such as fraud monitoring (e.g., through the use of emerging 
technologies such as artificial intelligence [8]), employee training, and active 
management of compliance with standards and regulations [9]. The following are 
among them [10]: 


e EMV Integrated Circuit Card Specification for Payment Systems: Payment card 
standard based on chip technology [11] 

* Payment Card Industry Data Security Standard (PCI DSS): AII major credit 
card companies support a set of rules relating to the processing of credit card 
transactions [12] 

* Revised Payment Services Directive (PSD 2, Directive (EU) 2015/2366): This 
directive regulates the payment services and providers in the European Union 
(EU) and the European Economic Area (EEA) [13] 


These standards require various security measures which include: 


* Data encryption: The Secure Sockets Layer (SSL) and Transport Layer Security 
(TLS) are cryptographic protocols that enable the establishment of a secure 
channel between systems and preserve the confidentiality and integrity of data. 
As of June 30, 2018, PCI requires migration from early versions of TLS and SSL 
to the later versions of TLS [12]. 

* Strong customer authentication (SCA): PSD 2 requires multi-factor authen- 
tication, which is the combination of multiple independent security factors 
(see Sect. 29.2). There are several exceptions to this requirement, such as for 
payments of very small amounts [13]. EMV 3-D Secure [14] is one method 
for implementing SCA for credit and debit cards. This protocol is designed to 
prevent unauthorized use of credit cards. It is offered, for example, under the 
name Verified by Visa or Mastercard Identity Check, and requires additional 
authentication with the card issuer for “card-not-present” transactions (i.e., 
neither the card nor the cardholder are present). Those merchants who use 3-D 
Secure can be assured that their payments will be received [15]. 

* Account verification, address verification service (AVS), and card verification 
value (CVV2) are all methods of validating payment accounts offered by credit 
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card companies. With the exception of U.S. and U.K. card issuers, AVS and 
CVV2 participation is optional [16, 17]. 


32.2.2 Trends 


It is estimated that the total value of digital payments will reach $8.49 trillion in 
2022. By 2026, it is forecast that the market will reach $13.75 trillion with an annual 
growth rate of 12.82% [18]. Table 32.1 provides a summary of key trends in secure 
payments in the coming years. As a prerequisite to the use case trends listed in the 
table, secure payment is necessary, emphasizing the importance of secure payment 
for the development of new applications in retail. 


32.3 Consequences for Switzerland 


PSD 2 is only applicable to EU member states; therefore, implementation in 
Switzerland is voluntary, and there is no corresponding regulation. SEPA member- 
ship, however, requires equivalence in a number of areas [31]. 

According to a study conducted in 2021 on the Swiss payment market, the 
number of cash payments is decreasing drastically as a result of the COVID-19 
pandemic. Online shopping and the use of credit cards are both on the rise, with 
the latter being the most popular method of payment [32]. The popularity of mobile 
payment options is also increasing [33]. 

In the secure payment market, several Swiss startups are active. NetGuardians 
SA (Yverdon-les-Bains, JU) develops artificial intelligence-based fraud detection 
solutions for the banking industry. A payment ecosystem offered by Datatrans AG 
(Zürich, ZH) allows its customers to access secure payment methods that are most 
advantageous to them. 

The recent outages of digital payment services have raised public awareness 
of their vulnerability to disturbances caused by service providers or infrastructure 
providers [34, 35]. In an incident involving Twint, Switzerland's number one mobile 
payment provider, a payment was wired to a previous owner of the intended 
recipient’s mobile number, illustrating the challenges associated with ensuring 
secure payments with modern methods of payment [36]. 


32.3.1 Implementation Possibilities: Make or Buy 


Typically, secure payment is implemented by commercial payment service 
providers, such as credit card issuers or infrastructure operators, such as SIX. 
A number of open-source solutions are currently available for automated clearing 


196 S. Ding 


Table 32.1 Key trends in secure payments 


Trend Cate-| Trend Description 
gory 
Use Cases Voice shop-|A voice assistant is a personal assistant that pro-|[19, 


ping vides assistance with daily tasks. Voice shopping, 20] 
or the use of voice assistants for online purchases, 
is described as a major trend in retail, but it also 
poses new security challenges. While supermar- 
ket chains such as Walmart and Target offer voice 
shopping to their customers in the United States, 
the trend is less prevalent in Europe and Switzer- 
land. 

Intelligent |In recent years, intelligent shopping carts have|[21] 
shopping been tested. In these shopping carts, the items 
cart shopped as well as the shopper are automatically 
recognized. It is possible to avoid long lines at the 
check-out and payment with intelligent shopping 
carts. A secure payment can be made using either 
a universal payment interface or a one-time pass- 


word. 
Technical Credit card|A number of credit card innovations are currently |[22] 
Develop-  |Innovation |being introduced, including biometric cards and 
ment dynamic cryptograms, such as those introduced 


by BNP Paribas. A biometric card stores a client's 
fingerprint and allows an increase in credit limit 
if the client authenticates with a fingerprint. A dy- 
namic cryptogram is a three-digit code that adjusts 
regularly and reduces the possibility of fraud. 

3-D Secure 2| The 3-D Secure 2 security protocol is a further [23, 
development of the 3-D Secure security protocol|15] 
which complies with PSD 2. This is regarded as 
the most significant change to consumer payment 
since Chip and PIN was introduced more than 16 
years ago. 1) frictionless flow, i.e., the option of 
not requiring additional input from card holders, 
2) non-payment authentication, i.e., the card holder 
is authenticated without making a payment, and 3) 
native mobile integration, which means that the 
merchant can integrate 3-D Secure into their mo- 
bile application. 

Variants  of|For fraud detection, machine learning (ML) will|[24, 
Machine continue to play an increasingly important role.|25] 
Learning |As an alternative to traditional rule-based systems 
for  Fraudjor standard machine learning systems, ML vari- 
Detection ants that combine different ML techniques with 
other approaches, such as scoring models, are be- 


ing used. 
Payment The Fintech industry provides a variety of services |[26, 
apps like Apple pay, Samsung pay and Google pay. The 27] 


Swiss sector is however dominated by one player, 
Twint, which has more than 4 million active users. 
Cryptocur- |Cryptocurrencies are now a seen as a mean or|[28] 


rencies future mean of payment by a sgnificant proportion 
of the population living in the western world. 
Risks Outages It is important to note that digital secure payment|[29, 
of | secure methods heavily rely on digital payment systems. 30] 
payment Due to the lack of resilience of service providers 


systems and (such as card terminals or networks), the secure 
underlying |payment ecosystem is more susceptible to disrup- 
infrastruc-  |tions than the cash payment ecosystem. As power 
ture shortages become more likely, business continuity 
measures need to be taken. 
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house (ACH) payment (e.g., OpenACH), which is used to transfer money from 
one bank account to another [37]. Additionally, there are open-source payment 
gateways (e.g., Open-Source Payment Gateway), which facilitate the transfer of 
payment information. The providers of these open-source solutions claim that their 
products facilitate integration with existing systems on the client side and provide 
better customization due to their modularity and adaptability. It is important to note 
that while the source code is available, open source does not necessarily mean that 
the solution is free. In addition to PCI compliance, it still requires an underlying 
infrastructure and computing power. 


32.3.2 Variation and Recommendation 


Secure payment ecosystems can be established using distributed ledger technologies 
such as blockchain [38]. Due to technological advancements, current disadvantages 
such as inefficiency and elevated power consumption are expected to be mitigated 
in the future, making it a viable alternative to existing secure payment methods [39]. 


32.4 Conclusion 


Regulations require the implementation of technical solutions such as 3-D Secure 
2.0, which are becoming increasingly user-friendly as time goes on. Secure payment 
systems are the foundation of innovation in industries such as retail. 
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Chapter 33 A) 
Disk, File and Database Encryption as 


Linus Gasser and Imad Aad 


33.1 Introduction 


Disk, file, and database encryption are technologies used to protect data confiden- 
tiality when stored. Full disk encryption (FDE) encrypts all data on a disk except 
the part containing the code to unlock the rest of the disk, which is usually not 
encrypted. File-based encryption (FBE) operates at the file level and can be done 
by the operating system or an application. Manual file encryption requires user 
intervention and is not transparent. Database encryption (DBE) can be done using 
transparent DBE, column-level encryption, or field-level encryption. The goal of 
DBE is to encrypt the whole database or specific columns or fields to ensure that the 
data on physical storage cannot be read if stolen. 


33.2 Analysis 


To make use of the data, for example, to make computations with it, the data must be 
decrypted to be processed, unless one makes use of technologies like homomorphic 
Encryption (see Chap. 8). Whether or not the user of a turned-on and unlocked 
device must provide an additional secret to working on an encrypted file, disk, or 
database, the key material needed to do so must already be available on the system. 
When no additional secret needs to be provided, decryption and Encryption are 
transparent to the user, and the key material is usually entered or made available 
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during a device's startup or unlocking phase. Consequently, the data is only secure 
when the device is turned off or locked. 


33.3 Definition 


33.3.1 Full Disk Encryption (FDE) 


As the name suggests, FDE [1] encrypts all data on a disk unless it is the disk from 
which the system boots. In this case, the part containing the code to unlock/get 
the critical material needed to access the rest of the disk is not encrypted. This 
code usually does something like (1) reading encrypted key material from the 
unencrypted part of the disk, (2) having a user enter the password needed to decrypt 
it, and (3) starting booting the operating system as the data on the disk containing 
it can now be decrypted. Once the operating system has been booted, access to 
the disk is through the encryption driver and transparent to the user and any other 
person/attacker that gets her hands on such a system. This is mainly a problem when 
using FDE in a server environment, as it is difficult to guarantee that nobody else 
has access to the system while it is running. In addition, when using FDE in a server 
environment, care must be taken about how the password/secret key is input into the 
server's system [2]. Another problem is that if the unencrypted part of the disk is 
not protected against manipulation, for example, with secure boot technologies, an 
attacker could efficiently execute attacks like the evil maid attack [3]. A particular 
case of FDE is external harddisks that include the encryption algorithm and a PIN 
pad directly in the enclosure. This allows for easy usage with different systems since 
they do not need any support for FDE. FDE is fully transparent to them in this case. 


33.3.2 File-Based Encryption (FBE) 


A system using file-based Encryption is similar to a FDE system. However, it 
operates at the level of individual files instead of at the level of so-called blocks.! 
This means that an FBE system encrypts each file individually. Decryption and 
Encryption can be done by the operating system whenever a file is read and 
written or by an application, if it is limited to files read and written by that 
application. Today's FBE systems include modern smartphones running Android or 
iOS, Windows's built-in Encrypting File System (EFS), Linux systems with fscrypt, 
or cloud storage solutions like Proton Drive and others. To encrypt the content of 
files, FBE can use the same encryption key for all files or different keys for different 
files. This allows, for example, to introduce different protection levels for files, like 


! A disk is usually partitioned into a large number of blocks of the same size. 
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on Apple devices running iOS. There, files accessible in a locked state are encrypted 
with different key material than files accessible only in an unlocked state. When the 
device is locked, the latter protection level's key material is no longer available. It 
can only be restored by unlocking the phone again. On the negative side, however, 
is that most of the FBE systems today leave one or more of the following metadata 
for an attacker to explore: 


* Access times and size of the file—revealing if a file has been used recently and 
what type of file it might be 

* Entry type (file or directory)—Trevealing applications used 

* For password-protected zip files, even the filenames are in cleartext 


33.3.3 Manual File Encryption 


In contrast to FDE and FBE, manual file encryption requires intervention by the 
user and is not transparent. The most well-known system is to provide a password 
to create a .zip file. This password will encrypt most, but not all, of the data in the zip 
file. More elaborate tools like PGP exist, but they pose a fundamental management 
problem, as the sender needs access to the receiver's public key. 


33.3.4 Database Encryption (DBE) 


DBE is usually done with one of the following approaches: Transparent DBE, 
column-level Encryption, or field-level Encryption. The whole database is encrypted 
with the same symmetric key with transparent DBE. This ensures that data on 
the physical storage cannot be read if stolen. The other two approaches exploit 
how relational databases are structured. They consist of tables, tables consist of 
columns, and a column entry is called a field. With column-Level Encryption, one 
can use different encryption keys for different columns. This adds, for example, the 
ability to encrypt only parts of the data and/or bind key material to specific roles 
preventing users with a different role that manage to query such a column can read 
the data. However, encrypting columns individually can come at the cost of reduced 
speed, depending on whether just one or many columns are encrypted. Field-level 
Encryption is also possible. It allows users to search the DB without decrypting each 
field since one can encrypt the field content (only exact matches) and then search for 
this value. However, when Encryption is randomized, for example, by prepending 
a fixed-size random value to the content before encrypting it, a different result is 
generated for equal fields. This provides more security at the cost of jeopardizing 
encrypted searches. 
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33.4 Security Considerations 


33.4.1 Encryption Algorithms 


Some high-performance encryption devices exist in hardware, but most systems 
are based on software. The advantage of using software is that the system can be 
updated more easily. Also, a failing hardware component can make it impossible to 
continue using the system if a replacement for the component is unavailable. 

Most systems use standard encryption algorithms like AES or ChaCha20, see 
Chap. 2. Only a few systems create their algorithms [4]. See also [5, 6] for an 
overview. 

AES works as a block cipher, meaning it can only encrypt one data block. In the 
case of AES, this is 256 bits. To encrypt an entire disk, AES is combined with a 
Block cipher mode that allows it to encrypt larger blocks. 


33.4.2 Key Management 


The symmetric key used for Encryption is derived, in the simplest case, from a 
password given by the user. It is essential that the password is long enough and has 
enough entropy to be secure. This simple system cannot recover a lost password and 
cannot allow more than one user access to the same data. 

More elaborate systems use asymmetric Encryption to protect the symmetric 
key. This additional, asymmetric key can be stored in a hardware element like 
a smartcard, a TPM, or another. These systems can also include two-factor 
authentication. 

In all systems, there needs to be a way to recover the data in an emergency. For 
example, if the user needs to remember her password or private key. Nevertheless, 
this needs to be done so that the emergency procedure cannot be abused. Indeed, if 
this emergency option can be used to access unauthorized data, it can become more 
of a problem than a solution. Therefore there is a proper balance to find between 
confidentiality and availability. 


33.4.3 Coercion 


To access encrypted data, be it data protected by FDE, FBE, or DBE, some user- 
provided secret/key material is needed. An attacker might force the user to enter the 
password through coercion to get it. This might be violence, the threat of jail, or any 
other type of coercion [7]. To defeat this attack, some systems allow users to provide 
different passwords. Depending on the password, the system will open one of two 
containers. One password opens the standard system, file, or database, while another 
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opens a different one that does not contain sensitive data. For an external observer, 
it is nearly impossible to know which of the two systems they are currently looking 
at. One example of a solution that does this at the level of disks is VeraCrypt [8]. 


33.5 OS Examples 


See Table 33.1. 


33.6 Trends 


The essential features of FDE and FBE are now readily available in popular 
operating systems like Windows, MacOSX, and Linux. However, it is still rare to 
see Encryption on the server side, except for servers from big players. For example, 
Google uses several layers of encryption. This also has to do with the fact that the 
users need to influence whether the data behind the cloud services is encrypted. 

Two features of Encryption that can increase the user experience might get more 
traction until 2025. Both involve managing the secret key: delegated (custodial) key 
management and threshold encryption. 

The Delegated (Custodial) Key Management means that the key resides on a 
third-party server. This allows recovery of the key if the primary owner loses the 
key. Microsoft and Apple offer this service when installing FDE. While this system 
guarantees that the key will still be available even in the case of password loss, you 


Table 33.1 Softwares used in different operating systems to add FDE or FBE 


OS Name Type Description 

Bitlocker Full Disk Encrypts one or more drives using 
AES-256, allows fine control for ac- 
cess and encryption 

Device — En-|Full Disk Encrypts all available drives using 


Windows 


cryption AES-256 
MacOSX FileVault Full Disk Encrypts using AES-128 
Linux CryFS File Based |Encrypts using AES-256 and stores 
the files as blocks to hide metadata 
DM-Crypt |Full Disk Encrypts using AES-256 and is used 
by other tools 
iOS iPhone — en-|Full Disk and|Encrypts all data using AES-256 


cryption File Based 
Android Direct Boot |File Based  |Encrypts using AES-256 
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now have to trust the keeper of the key, in this case, Microsoft and Apple, not to 
give it away. 

A more secure method is Threshold Encryption which shares the key with several 
parties. It requires a minimum of those parties to participate in recovering the key. 
In such a way, a single participant cannot leak the key. Several systems are working 
on this scheme. One is [9], developed at the EPFL by prof. Bryan Ford. 


33.7 Consequences for Switzerland 


From a user perspective, FDE and FBE are great tools to keep data privacy on the 
computer. No unauthorized person can access the data, even in the case of theft or 
loss of the device. On the other hand, from a law enforcement perspective, these 
tools make it more challenging to get the data necessary to convict a felon. 

The department of computer science at ETH Zurich has two laboratories, the 
Applied Cryptography Group and the Information Security and Cryptography 
group, working on different cryptography applications. Their publications cover 
FDE, FBE, and DBE. 


33.8 Conclusion 


Both FDE and FBE allow good protection against data leakage in the case of device 
theft or loss. However, due to their nature, they cannot protect against an attacker 
who gets her hands on a device turned on (and unlocked) or any other intruders 
who can run programs on the computer. This might be somebody using phishing to 
access the computer or malware getting access to your computer through a bug in 
the operating system. 
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Chapter 34 A 
WEB3 EEN 


Linus Gasser 


34.1 Introduction 


Web3 is the next generation of the internet, often referred to as the decentralized 
or blockchain web. It aims to address the shortcomings of the current centralized 
web, such as privacy concerns and lack of control over personal data, by leveraging 
decentralized technologies like blockchain and peer-to-peer networks. The vision of 
Web3 is to create a more open, secure, and democratic internet where users have full 
control over their data and interactions. The goal of Web3 is to build a new internet 
infrastructure that is more secure, user-centric, and decentralized than the current 
web, making it easier for individuals to own and control their data. 


34.2 Analysis 


Since its invention by Tim Berners Lee in 1989, the Web has undergone a major 
transformation, and depending on whom you talk to, another one, Web3, is on the 
horizon. The original internet, Web 1.0, allowed for static web pages with links to 
other web pages. Anything beyond that, for example, programming user interactions 
with these pages to implement web applications, was complicated. With the first 
transformation of Web 1.0 to Web 2.0, the Web became much more dynamic. 
Technologies like javascript and cascading style sheets offer myriad ways to interact 
with users and implement complex web applications. The possibilities of the Web 
2.0 sparked services like Facebook and TikTok whose primary business is to engage 
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users to interact with content and to exploit these interactions for marketing and 
advertisement purposes. The user, or more precisely, the data collected about a user, 
became the new currency; in exchange for their data, users can use most services 
for "free". With Web 2.0 dominated by a few companies only, the “Big Tech" 
companies like Meta or Alphabet, some people wished for a less centralized Web. 
Web3 might become a more decentralized Web as it incorporates concepts such as 
decentralization, blockchain technologies, and token-based economics. 


34.2.1. Definition 


When discussing the next generation of the internet, two terms are often heard and 
sometimes also confused: Web3 and Web 3.0. Even though they both designate the 
future of the internet and decentralization, they are not the same [1]: 

Web 3.0 has been coined by Tim Berners Lee as the Semantic Web, where the 
pages are machine-readable. In his implementation, Solid, people store their data 
securely in decentralized data stores called Pods. In Web3, decentralization is not 
achieved by the concept of Pods owned by the users, and can be hosted anywhere 
and moved around quickly but by using blockchain technology. With the blockchain 
as a basis, Web3 wants to be a platform that goes far beyond being a platform for 
Web content only. It leaves the Semantic Web focus aside and strives to become the 
future technical, legal, and payment infrastructure for the world. Web3 also wants 
to "cut out the middlemen" by directly contacting producers and consumers. This 
allows the producers to receive more money for their work while the consumer needs 
to pay less. 

It is, therefore, confusing that Time Berners Lee stated that: Web3 has been 
coined by Gavin Wood and is the name of his company that develops Web 3.0: Users 
own their data, not corporations; Global digital transactions are secure; Online 
exchanges of information and value are decentralized. 


34.2.2 Technologies 


The technology for Tim Berner Lee's Web 3.0 revolves around the possibility of 
each internet user managing their Pods. Pods are like secure personal web servers 
for one's data. The Solid projects write the following about Pods: 


(Pods) can be hosted by the same Pod Provider or by different Providers or be self-hosted 
or any combination thereof. The number of Pods you have, as well as which Solid Server or 
Servers you use, is effectively transparent to your applications and services. This is because, 
in the Solid ecosystem, data is linked through your identity and not through the specifics of 
your Pod. This is true for your data and those that others have shared with you. 
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The user has complete control over who sees which part of her Pod. This allows 
the implementation of self-sovereign identities, which can free internet users from 
the need to depend on big companies like Google, Facebook, or TikTok for their 
identity [2]. 

Web3 goes much further in its decentralization and wants to promote a self- 
sovereign internet. This self-sovereign internet is based on a decentralized (peer-to- 
peer) infrastructure, currently embodied using blockchains. The goal is to replace a 
big part of the current infrastructure provided by the government through services 
based on blockchains and smart contracts [3]. 

In Web3, Cryptocurrencies and other financial assets like Non-Fungible Tokens 
(NFTs) replace the government's fiat money. In addition, smart contracts enable 
the creation of Digital Autonomous Organizations (DAOs), which reflect real-world 
structures in the Web3 world. Using DAOs, decisions can be made with less friction 
than with real-world organizations. Another component, Decentralized Finance 
(DeFi) allows the exchange of the different crypto-tokens directly on the blockchain 
without going through a centralized exchange [3]. 

Some also include the approaching Metaverse in Web3 and propose that 
exchanges between different Metaverse platforms can be done using NFTs. This 
allows things bought in one Metaverse to be used in another Metaverse [3]. 


34.2.3 Risks 


As has been shown in 2021 and 2022, significant parts of the blockchain infrastruc- 
ture for Web3 are not ready for prime time yet: systems are slow, they break, and the 
smart contracts contain many bugs which hackers exploit to steal the funds stored 
in these smart contracts [4]. 

Another risk needs to be considered concerning the societal effects of removing 
parts of the government: how can Web3 make sure that the social aspects of 
today's governments are kept so that people are not excluded? One unsolved 
question regarding decentralized finance is how to recover stolen or lost funds when 
blockchains are decentralized and immutable. 

Finally, another hidden risk of WEB3 is that it is less decentralized and open 
than its advocates might say. Indeed, blockchain-based activity depends on services 
that are only possible with the cooperation of a handful of private, centralized 
companies [5]. 


34.2.4 Trends 


Over the next few years, Web3 will mature, and its components will merge 
with current technologies. This might include upcoming Central Bank Digital 
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Currencies [6], which could remove some of the problems linked to the high 
volatility of cryptocurrencies. 

There is an attempt to work on the privacy problem of blockchains through the 
use of Zero-Knowledge proofs, which can hide the actions of a user. While this 
technology currently is very limited due to its low speed, it might very well mature 
to the point of being usable in a broader context [7]. 

As there is very little research on how to implement theft and fraud protection in 
Web3, it is expected that these problems will persist for many years to come. One of 
the problems is that this protection can be solved quite easily in a centralized setup, 
but a decentralized setup makes it very hard to make the right decisions. 


34.3 Consequences for Switzerland 


Switzerland was one of the first countries to have a legal framework for blockchain 
applications [8]. This made it attractive and attracted many companies to Zug and 
other places [9]. There is also an ongoing effort for digital identity that should be 
self-sovereign [10]. This puts Switzerland in a good place to profit from the positive 
effects of Web3. 


34.3.1 Adoption and Efficacy 


The current adoption of Web3 is low, mainly because the technology needs to be 
more mature and widely used. In addition, the underlying blockchains are too slow 
and too difficult to use [4]. Also, they are currently incompatible with the "free 
through ads" internet, as they all need financial implications to participate. 

From an efficacy point of view, some of the underlying services start to evolve 
into a usable form: [11] has a decentralized cloud management system, and [12] is 
running a fast and decentralized generic blockchain. 


34.4 Conclusion 


Web3 promises more power to the users and the removal of intermediaries between 
the users and the services. This can bring more privacy and better remuneration 
for the service providers on the internet. Furthermore, most Web3 propositions 
are based on blockchains, which allow increasing trust by removing power from 
some controllers, like Google or Facebook. Switzerland is in an excellent position 
to participate in the upcoming Web3, as it already has legal regulations that allow 
innovation and growth. However, this dream might not come true as a new big player 
could control this new infrastructure. 
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So far, current Web3 systems still need to scale to the many billions of users on 
the internet. Once Web3 scales, it may deliver on its promise of a more user-driven 
experience. 
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Chapter 35 Ry 
5G uia 


Weyde Lin 


35.1 Introduction 


5G is the 5th generation technology standard for broadband cellular networks 
designed to address the increasing need for higher capacity and throughput in mobile 
devices, driven by new applications, use cases, and lower latency requirements. The 
first air interface standard for 5G (5G NR) was defined in 2018 by the 3rd Generation 
Partnership Project. It used two frequency ranges, including the millimeter wave 
spectrum, which offers high data speeds but has limited range. 5G is based on 
existing security controls with added features, such as an asymmetric key, network 
slicing, and improved local-to-home network authentication. 5G rollout started in 
2019, with the European Commission endorsing the EU 5G toolbox in 2020 to 
address the security risks related to 5G networks. The trend toward virtualization of 
network elements is also growing, which increases operator flexibility and reduces 
costs. 6G is currently in the research stage and is expected to roll out in the 2030s. 


35.2 Analysis 


The number of mobile devices connected to a cellular network is constantly 
increasing [1], simultaneously they require higher capacity and throughput, partly 
driven by new devices or applications (e.g., IoT devices [2], machine-to-machine 
communications [3]), new use cases with increased download speed requirements 
(e.g., video streaming, video meetings [4]) and lower latency requirements (e.g., 
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Industry 4.0 and mobile gaming [5]). The 5th generation technology standard for 
broadband cellular networks (5G) [6] is meant to address these challenges [7]. 


35.2.1 Definition 


In 2018 the first air interface standard for 5G was defined by the 3rd Generation 
Partnership Project (3GPP) as the radio access technology 5G NR (New Radio) [8]. 
5G NR can use the frequency ranges 410 MHz-7125 MHz (Frequency Range 1 [9]) 
and 24.25 GHz-71.0 GHz (Frequency Range 2 [10]). Frequency Range 2 (FR2), 
also known as the millimeter wave spectrum, is new in 5G and has not been used 
in previous cellular network standards (i.e., 1G—4G). As a result, FR2 offers very 
high data speeds. However, the range is limited as the signal cannot travel far and is 
easily blocked by buildings or trees [11]. Therefore, the millimeter wave spectrum is 
primarily used in an urban environment to provide high network capacity in crowded 
environments [12]. 

From a security point of view, 5G is based on the previously existing security 
controls. Nevertheless, it adds some new security features. Indeed, this new 
generation now contains an asymmetric key. Some other improvements are the 
authentication of the local to-home network, even if using an untrusted serving 
network, and the network slicing to provide differentiated handling of service 
requirements for different applications [13]. 


35.2.2 Trends 


Global 5G rollout by mobile operators started in 2019 [7]. In 2021, the global 
population 5G coverage already reached 25%, which is significantly faster than 
the 4G rollout that took 18 months longer to reach the same global population 
coverage [14]. This is partly driven by the fact that the mobile data traffic roughly 
doubles every 2years [15]. GSMA predicts that in 2025, 4496 of all mobile 
connections in Europe will be with 5G [16]. 

Securing 5G networks is crucial for the success of its adoption, especially for its 
business users. The European Commission, therefore, endorsed the EU 5G toolbox 
in 2020 [17], the toolbox outlines mitigation measures to address the security risk 
related to the 5G networks. 

In network evolution and the 5G rollout especially, the increased virtualization 
of network elements is a growing trend [18]. This allows hardware and software 
network resources to be maintained and configured by a single software-based 
administrative entity called virtual network [19]. This increases the operator's 
flexibility and reduces costs as no physical changes to the network are required 
in case of network reconfiguration (See also Network Slicing and Multi-access edge 
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computing below). However, this solution is only available if the 5G antenna is 
linked to a 5G core [20]. 

The following cellular network generation is already being worked on (6G). 
However, the technology is currently only in the research stage and is expected 
to roll out in the 2030s [21 ]. 


35.3 Consequences for Switzerland 


Since the start of the 5G rollout in 2019, the installation of 5G capable equipment 
in Switzerland has been fast-paced. As a result, the largest Swiss mobile operator 
(Swisscom) already had a population coverage (i.e., “the percentage of inhabitants 
living within range of a mobile-cellular signal” [22]) of 90% by the end of 2019 [23]. 
At the end of 2021, Swisscom had a population coverage of 98% while Sunrise 
reached 96% of the population [15]. 

There is a small but vocal minority of the Swiss population that is very critical of 
the 5G technologies and tries to block the construction of new 5G antennas [24] or 
even destroys them [25]. On the other hand, the Swiss mobile operators warn that 
with the blockage of new 5G antennas, the network capability will not be able to 
keep up with the yearly increase in mobile data usage [26]. 


35.3.1 Implementation possibilities: Make or Buy 


The largest vendors for 5G equipment are Ericsson, Nokia, Huawei and ZTE [27]. 
Multiple countries (US, Canada, UK) have banned the Chinese 5G vendors Huawei 
and ZTE from supplying equipment for their countries’ 5G mobile network 
infrastructure [28]. They cite security concerns for the ban. The Chinese government 
dismisses these claims and argues that the ban is politically motivated. 


35.3.2 Variation and Recommendation 


Private Networks 

These are 5G networks that are nonpublic and isolated from the public network. 
Compared to Wi-Fi, they offer extended coverage and speed. Private 5G networks 
are especially interesting for industrial applications [29] due to their low latency 
(e.g., for IoT devices in a factory) [30]. Private networks offer privacy and greater 
control since network operation can assign different priority levels for different 
devices [31]. 
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Network Slicing 

This method allows multiple virtual networks to be defined on top of the physical 
network. This allows mobile operators to tailor them to the needs of individual 
customers. The GSMA (Global System for Mobile Communications, an industry 
organization representing the worldwide mobile communications industry) esti- 
mates that network slicing will generate a revenue of $300 billion by 2025 [32]. 
Network slicing is part of the 5G standard set by 3GPP [33]. 


Multi-Access Edge Computing (MEC) 

MEC (sometimes known as mobile edge computing or mobile edge cloud) brings 
cloud computing capacity close to the edge of the cellular network, i.e., closer 
to the mobile device user. This results in lower latency and higher bandwidth 
uninhibited by network congestion. This allows for novel real-time applications 
(e.g., augmented reality headsets in construction sites). A standardization effort by 
ETSI is in progress (European Telecommunications Standards Institute) [34]. 


Fixed Wireless 

Mobile operators offer 5G router-based "fixed" access for stationary internet access 
as an alternative to fixed line broadband [35]. This is needed mainly in rural areas 
where the fixed broadband coverage might not be complete. 


35.4 Conclusion 


5G is a further development of the cellular network standard that allows for higher 
bandwidth, throughput, and lower latency. The improved performance in 5G and the 
addition to the network standard enable novel uses cases such as private networking 
or MEC. Due to the increased reliance on mobile connectivity for business and 
industrial customers, securing the mobile cellular network is indispensable. The 5G 
network standard was designed to address security shortcomings of the previous 
network standard (i.e., 2G/3G/4G) directly [36]. The only drawback is that most of 
the new security features will not be available until the 5G network is fully deployed 
(5G standalone (SA)), i.e., 5G end-to-end with 5G core and 5G antennas. 
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Chapter 36 A) 
Email Security ARA 


Emilia Nunes 


36.1 Introduction 


In 2020, approximately 306 billion emails were sent and received daily, and this 
number is expected to rise to over 376 billion by 2025. A standard attack vector is 
phishing, a type of social engineering where a fraudulent message is sent to trick 
a person. Emails were not designed with cyber-attack protection in mind, making 
them an attractive target for cybercriminals. 83% of companies have been attacked 
by phishing, according to a study conducted in 2021. End-to-end encryption 
(E2EE) or transport layer security (TLS) can be used to secure emails. E2EE 
standards include Pretty Good Privacy (PGP) and Secure/Multipurpose Internet 
Mail Exchange (S/MIME). The use of E2EE in email is still rare; many emails 
are sent an as plain, unencrypted text. Nevertheless, the market for encrypted email 
revenue has tripled from $0.5 billion to $1.5 billion from 2015 to 2020. Technical 
developments in email security include cloud-based email services, artificial intelli- 
gence, blockchain, multi-factor authentication, and security extensions. 


36.2 Analysis 


Ray Tomlinson sent the first email in 1971 [1]. Since then, the number of email 
users has steadily increased. In 2020, approximately 306 billion emails were sent 
and received worldwide every day, and this number is expected to increase to over 
376 billion by 2025 [2]. A primary attack vector is phishing, a type of social 
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engineering in which a fraudulent message is sent to trick a person. In addition, 
emails were not designed with the protection against cyber-attacks in mind [3], 
making them an attractive target for cybercriminals. According to a study conducted 
in 2021, 8396 of companies have been attacked by phishing [4], a widely used 
technique to steal personal information from users, such as via email [5]. Based on 
surveys of companies in the United States, the United Kingdom, France, Germany, 
and Australia [6], this represents a 4696 increase from 2020. Phishing is not the 
only form of cybercrime, but it is the most widespread and is expected to remain 
a significant problem in the future. As a result, it is even more critical to ensure 
information security, especially its authenticity, in emails [7]. 


36.2.1 Definition 


Email is usually used to refer to one of the following: (1) a means or system 
for transmitting messages between computers on a network or (2) a message sent 
and received electronically through an email system. Here, we focus on securing 
the messages rather than the email system. Email messages can be secured using 
cryptography. For example, end-to-end encryption (E2EE) could be used to protect 
them in transit and at rest. In addition, transport Layer Security (TLS) [8] is used to 
protect emails in transit between email servers and clients. TLS uses a combination 
of asymmetric (see Chap. 3) and symmetric cryptography (see Chap. 2). Common 
standards used for E2EE email encryption are: 


* Pretty Good Privacy (PGP): One of the most widely used standards [9] is 
OpenPGP, which provides message encryption and digital signatures as security 
services (see Chap. 15). OpenPGP encryption software is an open standard that 
employs a combination of asymmetric (see Chap. 3) and symmetric encryption 
(see Chap. 2) [10]. 

* Secure/Multipurpose Internet Mail Exchange (S/MIMB): Another widely used 
standard is S/MIME, which is also based on asymmetric and symmetric encryp- 
tion. The system provides authentication, message integrity (i.e., the message 
was not modified during transmission), non-repudiation of origin (using digital 
signatures), and data confidentiality (using encryption). The certification process 
to verify the signatures is carried out by certified authorities [11]. 


36.2.2 Trends 


End-to-end email encryption today is a rare, partial, and often perceived impractical 
solution. So most emails are sent as plain, easy-to-read, unencrypted text [3, 12]. 
Nevertheless, over 2015-2020, encrypted email revenue tripled from $0.5 billion 
to $1.5 billion [13]. Several factors drive growth, including an increase in fraud 
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(particularly phishing), an increase in email users, a high demand for cloud-based 
encryption services, and regulations requiring privacy compliance. 


Technical Development There are a variety of technical developments that apply 
to email security. Cloud-based email services, including cost-effectiveness and 
scalability. In addition, security is included as part of the cloud service and does 
not require in-house development, implementation, and maintenance [14, 15]. 
Artificial Intelligence can detect various types of attacks. Furthermore, a blockchain 
eliminates the need for trusted intermediaries and keeps track of all previous 
transactions (see Chap. 25). Multi-factor authentication adds additional layers of 
security, making it harder for attackers to steal a person's identity (see Chap. 29). 
Finally, extensions such as Pleask Email Security or Virtru can help users against 
attacks. 


Risks Risks are in a continuous development phase. Phishing via email is a 
standard method of phishing, which is becoming dangerous as phishing as a service 
(PhaaS) is becoming increasingly prevalent. Using PhaaS, cybercriminals assist 
others in conducting phishing attacks for a fee. This provides cybercriminals with a 
new source of revenue and permits anyone, regardless of their level of expertise, to 
conduct more professional attacks. PhaaS increases the number of phishing attempts 
while also increasing the likelihood that attacks will be effective [16]. With the 
rise of offensive artificial intelligence, organizations must adopt new defenses that 
circumvent conventional rule-based detection software [17]. 


36.3 Consequences for Switzerland 


In 2021, Switzerland reported twice as many cyber incidents as the previous year. 
The most frequent reports [18] came from emails sent by perpetrators masquerading 
as law enforcement agencies. In recent years, more and more Swiss providers 
have entered the market with solutions that enable automated email encryption 
and signing, as email remains the most common means of communication in the 
public and private sectors. For example, IncaMail (Swiss Post) [19], HIN Mail 
(Health Info Net AG) [20], and SEPPmail (SEPPmail AG) [21] offer an integrated, 
comprehensive solution for their clients. The Federal Department of Justice and 
Police (FDJP) has recognized these solutions as secure delivery platforms in the 
context of proceedings. Therefore, these solutions can be utilized following the 
"ordinance concerning electronic communication in civil and criminal proceedings, 
as well as school proceedings and competitions" [22, 23]. Lawyers, for example, 
may receive court submissions or send court decisions in compliance with the law 
(see Chap. 37). 

In Switzerland, email security is also actively researched, although more as 
part of fundamental research in cyber security (see Chap. 37). Protonmail is also 
a remarkable Swiss success story in email security. Indeed this company brings a 
service like no other to the table [24]. 
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36.3.1 Implementation possibilities: Make or Buy 


A secure email security solution should include strong encryption and address 
network vulnerabilities when purchased or built. Various solutions have now been 
established on the market, including SEPPmail [21], IncaMail [19], and HIN [20], 
which meet the legal requirements of the federal government and can be considered 
to be easy to use [25]. These solutions may also be used to exchange messages 
securely with communication partners that are not themselves subscribers to those 
solutions. 


36.4 Conclusion 


According to trends, email security is moving towards scalable, faster, safer, and 
more convenient solutions. As a result, system offerings that provide end-to-end 
encryption and are more user-friendly are taking up an increasing amount of 
the market. Since the email system was originally not designed to be secure, 
considerable effort had to be made to ensure the security of emails. Nevertheless, 
emails may never be as secure as newly designed solutions with solid end-to-end 
encryption and robust architecture (see Chap. 37). 
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Chapter 37 A) 
Secure Messaging PE 


Emilia Nunes 


37.1 Introduction 


In today’s digital world, instant messaging and social networking have become 
ubiquitous. The widespread use of these communication channels, especially in the 
workplace, has raised security concerns for individuals and organizations. Secure 
messaging refers to protecting and safeguarding communication infrastructure, 
such as emails, messaging apps, and instant messaging platforms, through various 
security mechanisms like end-to-end encryption (E2EE). E2EE uses encryption 
and decryption keys to ensure the privacy of messages and the authenticity of the 
sender and recipient. With the increasing number of mobile messaging users, the 
need for secure messaging systems is rising. Technological advancements, such as 
cloud-based and blockchain-based platforms, drive growth in the secure messaging 
market. However, risks like phishing and cyberattacks remain persistent and are 
projected to continue targeting messages in the future. 


37.2 Analysis 


37.2.1 Definition 


A message is defined as any piece of information that a person communicates to 
another individual or group. On the other hand, a secure messaging system is a 
method of protecting and securing individuals’ and organizations’ communication 
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infrastructure [1]. Among the communication channels are emails, messaging apps, 
and social networking platforms for instant messaging (e.g., WhatsApp). Access to 
these channels is possible from various systems, such as mobile phones and com- 
puter messaging applications. In addition to preventing cyberattacks, appropriate 
security mechanisms can also enhance confidentiality (i.e., only intended recipients 
can view messages) and authenticity (i.e., verifying the identity of senders and 
recipients) [2]. 

E2EE (end-to-end encryption) can be used to secure messages while transferring 
them from one system or device to another. E2EE is intended to secure communi- 
cation in a way that prevents third parties from accessing information. A message 
in E2EE is encrypted on the system or device of the sender, and only the intended 
recipient is permitted to decrypt it. The encryption and decryption keys are stored 
on each endpoint of the communication system. To facilitate key management (see 
Chap. 4), most systems make use of Public Key Cryptography (see Chap. 3). 


37.2.2 Trends 


It is anticipated that the number of mobile messaging users will increase from 
2.9 billion users in 2020 to 3.5 billion in 2025 [3]. The increasing need for organiza- 
tions to secure their messaging infrastructure is a key driver for growth, especially 
as businesses increasingly use mobile messaging applications to communicate. A 
list of key trends in the coming years is presented in Table 37.1. 


37.3 Consequences for Switzerland 


Threema is a Swiss solution used by more than 7'000 corporate customers, 
including the Swiss government. This solution provides some significant advantages 
like zero-knowledge security, on-premise servers, and metadata restrains [12]. 
However, vulnerabilities were discovered in the messenger application by the 
Applied Cryptography Group at the ETH Zurich [13]. They were fixed after 
3 months, the time, Threema asked the researchers to hold the information. 

It is common for Switzerland to conduct research on topics related to security 
and privacy, which lay the foundation for secure messaging, for example the 
Zurich Information Security & Privacy Center at ETH Zurich [14], Identity and 
Access Management (IAM) at Bern University of Applied Sciences (BFH) [15], or 
Center for Intelligent Systems (CIS) at EPFL [16]. The IBM Research Zurich team 
conducts commercial research on system security and cryptography [17]. 
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Table 37.1 Key trends of secure messaging 


Trend Cate- 
gory 


Trend 


Description 
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Technical 
Develop- 
ment 


Risks 


Cloud-based 
platforms 


Secure messaging is becoming increasingly in- 
fluenced by cloud-based platforms. This is espe- 
cially true for communications platform as a ser- 
vice (cPaaS), which provides a cloud-based mid- 
dleware on which communication software can be 
developed, run, and distributed. 


Blockchain- 
based 
platforms 


In recent years, blockchain technology has been 
pushed as a means of decentralizing communica- 
tions, as well as providing users with more privacy 
and anonymity than common end-to-end encryp- 
tion techniques (e.g., pretty good privacy (PGP)). 
The messaging app Session uses blockchain tech- 
nology to hide the IP addresses of its users and 
makes it possible for users to communicate with- 
out providing a phone number 


[5, 6] 


Instant mes- 


saging appli- 
cations 


Phishing 


A number of applications available on smart- 
phones, tables and computer have reached an inter- 
sting maturity point. Furthermore, these solutions 
are under continuous development, which makes 
them necessary to follow. 

Emailis acommon means used for phishing, which 
is now becoming even more dangerous as phishing 
as a service (PhaaS) is on the rise. With this ser- 
vice, cybercriminals help others carry out phishing 
attacks for a fee. This provides cybercriminals with 
a new source of revenue and allows anyone, even 
without expertise, to perform more professional at- 
tacks. PhaaS not only increases the phishing rate, 
but also makes each attack potentially more effec- 
tive . 


Cyberattacks 
in general 


Cyberattacks, such as malware and phishing, will 
continue to target messages in the future for three 
main reasons: financial gain, data theft, and busi- 
ness disruption. 


37.3.1 Implementation possibilities: Make or Buy 


[9, 
10, 
11] 


In response to increased public attention, more and more solutions for secure 
messaging have emerged. However, many of these solutions do not provide strong 
and well-defined security features [7]. Many of the secure messaging solutions have 
no answer to the problem of protecting the metadata [7]. 
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Secure messaging solutions should be purchased with a strong analysis based on 
the needs of each organization as end-to-end encrypted messages sent on unique 
channels could be easily attacked by spam, flooding, and denial-of-service [7]. 


37.4 Conclusion 


The demand for secure messaging solutions is growing, and the solutions are 
becoming more convenient and secure. However, if solutions exist, choosing them 
and implementing them in a efficient way remains a big challenge. 
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Chapter 38 A 
Secure Smartphone PE 


Yann Donon, Fabien Künzler, Pawel Jasinski, Carl Piening, 
and Arnaud Savary 


38.1 Introduction 


Secure smartphones highlight the privacy and data safety issues in off-the-shelf 
smartphones and the need for secure smartphones to address these concerns. The 
article focuses on several key features of secure smartphones, including trusted 
hardware, secure boot, encryption, and mobile network. These features play a 
critical role in ensuring the security of a smartphone and protecting users and 
organizations against data leaks and cyberattacks. The section also briefly discusses 
the challenges in implementing these features and the importance of using trusted 
sources, dedicated encryption engines, and high-quality entropy sources to design 
secure smartphones. 


38.2 Analysis 


Off-the-shelf (OTS) smartphones are known to present data safety and privacy 
issues [1]. These devices often change location with their user and are notably 
vulnerable to theft, malicious access points, or malware [2, 3]. To face these risks, 
secure smartphones are being developed. They are designed to have increased 
resistance against cyberattacks and to protect users and organizations against data 
leaks while aiming to maintain the practicality of smartphones. 
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38.3 Definition 


Smartphones are devices combining the features of a computer and a mobile 
phone. As such, typical vulnerabilities of both systems exist in smartphones. The 
hardening of smartphones, a process intended to eliminate means of attack by 
patching vulnerabilities and turning off nonessential services [4], is, therefore, key 
to making it more secure. Given the extensive range of features that address known 
vulnerabilities and the democratization of smartphones, research focusing on such 
features is numerous. This article focuses on a set of features that seems most 
relevant when evaluating the need for a secure smartphone. 


38.3.1 Trusted Hardware 


The hardware includes all physical parts of a smartphone. It is required to run 
the software. As such, hardware security is critical to support software security. 
However, as the design complexity of hardware (system-on-chip, SoC) increased, 
foundries capable of producing these SoCs became increasingly complex and 
expensive. This phenomenon resulted in the global scarcening of foundries, making 
it extremely difficult to acquire components from trusted sources. This represents 
a challenge close to unverifiable for any manufacturer aiming to provide secure 
hardware [5]. While approaches exist or are being researched to review hardware or 
execute secure operations on untrusted hardware [6], capabilities in that direction 
remain limited [7, 8]. 


38.3.2 Secure boot 


Secure boot is key to bringing a device into a certain operational state. It aims at 
securing the consistency and integrity of the firmware and operating system (OS). 
Would the device be compromised at this level, it would leave the whole system 
vulnerable [9]. Implementation of secure boot takes advantage of a hardware root 
of trust—the public key of a vendor. The public key is immutable— stored in ROM. 
The boot process verifies the signature of loaded images against the vendor key. 
Some vendors allow the use of user-supplied public keys during the later stages of 
the boot process. The location of the storage of these keys is critical. In the ideal 
case, the keys are stored in a dedicated module to prevent alteration. During the 
secure boot, the device performs an additional security function called downgrade 
check. In order to effectively preventing the downgrading of the operating system 
to a version with known security exploits [10]. 
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38.3.3 Encryption 


Encryption is a process of encoding information so that only an entity with access to 
a secret can decode it can access the original information. Modern smartphones do 
not only use full disc encryption (FDE) but also rely on file-based encryption (FBE) 
to effectively increase protection granularity by using different sets of keys for 
different sets of files (see Chap. 33). This allows, for example, for a file encryption 
key on a per-application basis to prevent applications from accessing files from 
other applications [11]. The keys used for encryption are usually derived from a 
unique device identifier and, for some of the keys, also from some user-provided 
secret. Use of trusted execution environments, which can perform computations 
in isolation from the operating system or the central application processor (see 
Chap. 18), minimize or even entirely prevent exposure of the encryption keys to 
the rest of the system. Ideally, encryption is performed using a dedicated, hardware- 
based encryption engine designed to withstand side-channel attacks such as static 
or dynamic power analysis or timing analysis [12]. Finally, suppose a device comes 
with device keys generated in the factory. In that case, it is crucial that they are 
stored in a tamper-resistant way and that all cryptographic operations with them 
are performed so that the keys are not exposed to the user or operating system. 
Moreover, to generate keys on the device itself, it is essential to have a high-quality 
entropy source on the device, which is usually a true random number generator 
implemented in hardware [13]. 


38.3.4 Mobile Network 


The ability to control the connection to the carrier network may protect from 
connecting to unsafe, intrusive, or compromised service providers. However, most 
off-the-shelve devices maintain some degree of connectivity with network providers 
at all times and states as long as the battery lasts. Therefore, removing the phone's 
main antennas and replacing them with ones that can be physically connected 
or disconnected (e.g., with a switch) might offer some protection from unwanted 
connectivity. However, in general, this is insufficient to prevent all forms of wireless 
communication as the phone might have components capable of sensing and sending 
signals independently from this antenna (e.g., electromagnetic emissions from the 
devices' screen [14]). The difficulty of controlling connectivity is that support for 
standard IPv4 and IPv6 protocol stack is usually built-in and ready for use with 
all wireless and non-wireless network technologies like carrier networks, Wi-Fi, 
Bluetooth, USB, or even Ethernet with the help of USB-Ethernet adapter. 


236 Y. Donon et al. 
36.3.5 Open source 


Open source designates disclosing source code and permitting modification and 
redistribution of source code [15]. Disclosing the source code is generally beneficial 
for security since it makes it possible for any interested party to review the source 
code for security problems. However, it is crucial that disclosure processes for vul- 
nerabilities in open source are carefully designed to prevent leakage of information 
around reported vulnerabilities since exploiting them might be more straightforward 
than when the source code is not available [16]. It is important to note that providing 
access to source code to some entities only is different from a healthy open source- 
based security ecosystem. The complexity and cost of performing code reviews and 
vulnerability analysis by a few entities are prohibitive, especially considering that 
new software releases are provided and need to be reviewed frequently. A trend 
that might increase trust in open source-based systems further is the introduction 
of reproducible builds. With reproducible builds, independent third parties can 
reconstruct all OS components and compare them (e.g., using their hashes (see 
Chap. 5) with the images provided by a vendor. This can confirm that the code 
published is indeed the one running on a device without compromising secure boot 
integrity [17]. 


38.3.6 Mobile Applications 


Mobile applications are software designed to run on mobile devices. They provide 
functionality but are also a potential threat since they may contain vulnerabilities 
and are usually provided by untrusted third parties. While some applications are 
created to deceive users and gain access to information available on the phone, 
others do this without trying to hide it. After all, many benign applications out there 
collect information about the user as part of their business model [18]. Because of 
this, special care has to be taken to limit access and capabilities of applications by 
following a need-to-know and principle of least privilege approach. In practice, the 
combination of the user and the operating system is often responsible for deciding 
what an application is allowed to do. The operating system uses sandboxing tech- 
niques and a permissions framework to restrict and control them [19]. However, the 
user (or risk owner in the case of managed devices) decides whether the requested 
access and capabilities are appropriate for a given application. Unsurprisingly, 
breaches or unintended use of features are numerous [20]. 
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38.4 Trends 


As the mobile smartphone ecosystem continues to grow, the number of security 
threats and data breaches has increased dramatically. There is the need of increased 
smartphone security for individuals, businesses, and governments [21]. Recently, 
there has been a lot of media coverage about malware campaigns, privacy policy 
changes, and data theft, which has led to growing public awareness. A prominent 
example in this coverage is the Pegasus spyware used by NSO Group. It revealed the 
extent of vulnerabilities in all operating systems [22]. Google Play Protect Service 
also made the news, struggling to provide a layer of efficient protection, leading to 
data theft from several popular applications, highlighting another kind of privacy 
and security weak point on smartphones [23]. Finally, the continuing concentration 
of consumer data in the hands of a few, with the acquisition of WhatsApp by 
Facebook in 2015 as a prominent example, has raised serious concerns regarding 
the use and commercialization of such data [18, 24, 25]. 

The multiplication of similar cases combined with the complexity and increasing 
use of smartphones has heightened public awareness of security issues and the 
growing need for secure smartphones. Valued at 3.3 billion dollars in 2020, the 
global mobile security market is projected to reach 22.1 billion dollars by 2030, 
growing at a compound annual growth rate (CAGR) of 21.1% from 2021 to 
2030 [26] 


38.5 Consequences for Switzerland 


While convenient, bring your own device (BYOD) models put organizations at 
increased risk of privacy and data security breaches from smartphones [27]. 
Malicious apps may access sensitive and private information. This includes but is 
not limited to the phone number, calendar, contact list, usernames and passwords, 
messages, the camera, the microphone, or GPS information [28]. Smartphones are 
also regularly used in unsecured networks. As a result, users may inadvertently 
download malicious software [29] or apps, even through official stores [30, 31]. In 
addition, Advanced Persistent Threats have been able to breach security on multiple 
occasions [2]. Such attacks are more sophisticated and targeted, often against large 
corporations, governments, or the military. In this context, the secure smartphone 
may become a necessity as it is a valuable tool to address the security risks in our 
evolving workspace. 
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38.6 Implementation possibilities: Make or Buy 


Making a secure smartphone is a multi-faceted problem and is generally not an 
option for companies where making smartphones and/or secure operating systems 
is their core business. When buying a secure smartphone, there is a multitude of 
critical factors that must be considered and taken into account. Among them are the 
threat model, the desired level of protection and privacy, and your trust in hardware 
manufacturers, operating systems- and software providers. 


38.7 Conclusion 


Smartphones are a use case that integrates numerous technologies described in this 
book. Technologies like hardware security modules (see Chap. 16) or full-disk- 
or file-based encryption (see Chap. 33) play an essential role in implementing or 
securing the key components outlined in this article. Since those technologies are 
not perfect, it is logical that smartphones also suffer from those imperfections. While 
it is unrealistic to proactively protect ourselves from all the threats they may imply, 
more secure smartphone options will become available. To what extent this privacy 
and security are to be leveraged by each individual or organization, taking into 
account operational needs, threat models, and the degree of convenience. 
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Part VI 
Analysis and Conclusion 


Chapter 39 A) 
Scientometric and Wikipedia Pageview gag 
Analysis 


Alexander Glavackij, Sarah Ismail, and Percia David Dimitri 


39.1 Introduction 


This chapter explores trends in data protection and encryption technologies across 
different technologies. The technologies analyzed are taken from the previous 
chapters. 

Any trend assessment concerning data protection and encryption technologies 
constitutes a challenging task for various reasons. The swift development of the 
security technologies brings a myriad of novel protocols, tools, and procedures, 
whose technological readiness levels (TRL) also evolve rapidly [1]. Also, while 
some technologies thrive, others stagnate or vanish in favour of more market- 
adapted technologies or enhanced operational implementation [2]. Moreover, in 
such a fast-paced and growing environment, opportunities and threats evolve 
quickly, making it difficult to evaluate the whole spectrum of technologies available 
on the market [3]. Consequently, evaluations of the security consequences of the 
arrival and evolution of such technologies on data protection are complex. 

Following the previous individual analysis of the data protection and encryption 
technologies, we evaluate these technologies through time by benchmarking a 
development indicator—the attention paid by different communities [4]. 
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39.2 Analysis 


39.2.1 Scientometric analysis 


We conduct a scientometric analysis of the book's technologies to better understand 
how they evolved over the last 20 years. Most cryptographic technologies are the 
result of long-term research efforts. Therefore, we analyze the number of associated 
scientific works through time for each technology, which can be seen as an indicator 
of scientific interest in that technology [5]. Growing attention points toward 
promising or emerging technologies, as researchers tend to dedicate significant 
resources to potentially valuable technologies. Conversely, low interest in a given 
technology correlates with the lack of technological novelty and obsolescence. 

To provide such a scientometric analysis, we use the OpenAlex dataset, which 
describes scholarly entities (works, authors, institutions, venues, and concepts) and 
their connectivity patterns using a graph structure.! Importantly, each scholarly 
work has concepts associated with it that are represented in the paper. OpenAlex 
organizes publications’ concepts into a tree structure, where general concepts are 
parents of more fine-grained ones. OpenAlex has 65,026 concepts, ranging from 
Political Science to Physics. Scientific works are tagged automatically using a 
classification model trained on the Microsoft Academic Graph (MAG) [6]. Thus, 
OpenAlex provides a taxonomy of topics discussed in the scientific literature, 
used here to retrieve scientific works tagged with this book's 38 technologies. We 
scrape the scientific works tagged with those 38 technologies, taking for each a 
monthly count of the number of published papers. This yields a time series for each 
technology, which we use to analyze the technologies over time. 

The technologies' time series display different development patterns; therefore, 
we cluster them according to the exhibited pattern into three classes: no growth, 
moderate growth, and strong growth. We calculate the clusters in the following 
manner: we divide the average number of publications during the first 3 months 
in 2022 by the average number of publications during the first 3 months in 2012. 
We refer to the resulting ratio as growth ratio. If growth ratio < 1.05, we deem 
the technology as not growing. The technology exhibits moderate growth if 1.05 < 
growth ratio « 2. The technology thrives if growth ratio > 2. 

Additionally, we cluster the technologies into low, moderate, and high-interest 
technologies. A technology is a high-interest technology if the average monthly 
publication count is c > 50, a moderate-interest technology if 15 < c < 50, and 
a low-interest technology if c « 15. The growth pattern and interest level form a 
two-dimensional matrix where we can arrange the technologies. Table 39.1 shows 
the resulting matrix for 24 selected technologies. 

We emphasize interesting patterns. High-interest technologies which have been 
researched extensively, include Blockchain, Hash Function, and Asymmetric 


' https://docs.openalex.org/. 
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Table 39.1 Selected technologies of this book assorted into a two-dimensional matrix, created by 
clustering the technologies by their past growth and interest in the research community 


Interest 
Low Interest Moderate Interest High Interest 
No Growth Confidential Computing, Authentication, Asymmetric Encryption 
Digital Rights Management, |Digital Signature, 
- Disk Encryption Identity Management, 
E Key Management 
w Moderate Growth|Electronic Voting, Quantum Cryptography, Biometrics, 
E Functional Encryption Random Number Generation, Hash Function 
t Symmetric Cryptography 
& Strong Growth  |Hardware Acceleration, Differential Privacy, Blockchain 
a Hardware Security Module, |Homomorphic Encryption, 
Post-Quantum Cryptography, | Quantum Key Distribution 
Zero-Knowledge Proof 


Encryption in this cluster. Except for Blockchain, these technologies represent 
the backbone of today’s cybersecurity landscape. However, Blockchain is the only 
one exhibiting strong growth. This might indicate that Blockchain technology has a 
large part of its development ahead of it. Moderate-interest technologies represent 
more specialized techniques and methodologies that have established themselves. 
Digital Signatures, Authentication, and Key Management are well-known and 
widely used technologies, but interest in them is not growing further, indicating 
technical convergence. Emerging technologies, especially Differential Privacy and 
Quantum-related technologies, exhibit growth and can be counted on to become 
more critical in the future. Low interest and not growing technologies are niche 
technologies, like Disk Encryption and Functional Encryption. However, some 
low-interest technologies exhibit strong growth, like Post-Quantum Cryptography, 
Zero-Knowledge Proof, and Hardware Security Modules. These technologies have 
been relatively recently established, and the research interest indicates that most 
discoveries in those technologies are yet to be made (Fig. 39.1). 


39.2.2 Evolution of public attention 


To explore more, we look at the evolution over time of public attention to 
technologies through Wikipedia’s pageviews statistics. The motivation of the public 
to know more about a technology provides good information on the position and 
the popularity of the technologies [7]. Wikipedia’s pageviews statistics show the 
number of pages visited over a given period at a given chosen frequency (either 
daily, monthly, or yearly data—in this work, we use the monthly frequency). Such 
statistics cover each page. The statistics do not consider the time Internet users spend 
on a page. Whatever its duration, it will be counted as a view. We collect data for 
37 technologies over 82 months, from July 2015 to April 2022. Again, we group 
the technology time series into three classes: no growth, moderate growth, and 
high growth. Clusters are calculated as follows: we divide the average pageviews 
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Table 39.2 Technologies of this book assorted to a two-dimensional matrix created by clustering 
the technologies by their past growth and public interest 


Interest 
Low Interest Moderate Interest High Interest 
No Growth Authentication, Biometrics, Asymmetric Encryption, 
Confidential Computing, Digital Rights Management, |Hash Function 
Disk Encryption, Digital Signature 
Electronic Voting, 
Email Security, 
Hardware Security Module, 
Identity Management, 
Key Management, 
Quantum Cryptography, 
Secure Messaging, 
Secure Operating System, 
Symmetric Cryptography, 
Tunneling 
Moderate Growth Differential Privacy, Random Number Generation 
Functional Encryption, 
Hardware acceleration, 
Homomorphic Encryption, 
Quantum Key Distribution 
Strong Growth  |Identity-based Cryptography, Blockchain 
Multi-party Threshold Cryptography, 
Post-quantum Cryptography, 
Private Set Intersection, 
Searchable Symmetric Encryption, 
Secure Multi-Party Computation, 
Trusted Execution Environment, 
Zero-knowledge Proof 


Growth Pattern 


of the last 3 months by the average pageviews of the last 3 months from 6 years 
ago. We refer to the resulting ratio as growth ratio. If growth ratio « 1.05, we 
deem the technology as not growing. The technology exhibits moderate growth if 
1.05 « growth ratio « 2. The technology thrives if 2 «growth ratio. We also cluster 
the technologies into low, moderate, and high-interest technologies. A technology 
is a high-interest technology if the average number of pageviews per month is c > 
50,000, a moderate-interest technology if 25,000 « c « 50,000, and a low-interest 
technology if c « 25,000. We provide the two-dimensional matrix clustering the 
technologies according to their growth in Table 39.2 (Fig. 39.2). 

Again, the technologies attracting significant public interest are Blockchain, 
Hash Function, and Asymmetric Encryption. Blockchain shows strong growth, 
unlike Hash Function and Asymmetric Encryption, which show no growth. Again, 
technologies with more specialized techniques and methodologies, such as Dig- 
ital Signatures and Biometrics, are seeing moderate interest. Low-interest and 
no-growth technologies are niche technologies, such as Disk Encryption, or long- 
standing technologies, such as Email Security. However, some low-interest tech- 
nologies, such as Post-quantum Cryptography, still show strong growth (Fig. 39.3). 
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Fig. 39.3 Correlation between pageviews of technologies in Wikipedia from July 2015 to April 
2022 


39.2.3 Correlation Analysis 


In order to proceed to an exploratory data analysis and get an idea of the potential 
existing relationships between these technologies, we display a correlation matrix 
of Wikipedia's monthly pageviews. However, these correlations can potentially 
contain confounding factors and spurious relationships (as time series are not 
stationary). Figure 39.4 shows positive or negative correlations between page views. 
For instance, we notice that “Identity-based encryption” and “Searchable symmetric 
encryption" highly correlate. On the other hand, “Quantum Key Distribution" has 
no or a very weak correlation with all the other technologies. 


39.2.4 Comparison of public and expert attention 


The relationship between these proxies for the two types of attention diverges over 
time. However, graphically, we observe that expert attention follows public attention 
by a few months. For instance, in the case of Random Number generation, public 
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attention increased around 2019, while expert attention started to pick up 1 year 
later. 


39.3 Conclusion 


In conclusion, this chapter evaluates data protection and encryption technology 
trends through time. We used a benchmarking development indicator, the attention 
brought by different communities, to perform the analysis. This attention was 
measured through a scientometric analysis of the production of scientific works and 
the public attention was given to these technologies through Wikipedia pageviews. 
Our results showed that high-interest technologies like Blockchain, Hash Function, 
and Asymmetric Encryption are widely researched and used, but only Blockchain 
exhibited strong growth. Moderate-interest technologies like Digital Signatures, 
Authentication, and Key Management have established themselves but need to 
show growth, indicating technical convergence. Finally, emerging technologies like 
Differential Privacy and Quantum-related technologies showed growth, indicating 
their potential to become more critical in the future. This analysis provides valuable 
insights into the development of data protection and encryption technologies and 
their impact on the security landscape. 
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Chapter 40 
Trends in Open Source Software for Data gss 
Protection and Encryption Technologies 


Lucía Gómez Teijeiro and Thomas Maillart 


40.1 Introduction 


Software editors and practitioners have increasingly developed and used open- 
source software tools to implement their cybersecurity strategies. By its unique 
intellectual property regime, open-source software fosters transparency and sharing 
values, which have been recognized as important to finding and fixing vulnerabilities 
and quickly avoiding threats. By selecting 41 technologies related to the one 
presented in the book, we show that open-source software for cybersecurity is a 
rapidly growing complex ecosystem of 3456 GitHub repositories with 5000+ users. 
While some repositories are prominent, many have evolved under the radar, serving 
niche or emergent needs. Here, we provide the first account of trends in open-source 
software for cybersecurity and develop a non-parametric forecasting approach to 
provide an outlook of its development towards 2025. 


40.2 Open Source Software and Cybersecurity 


Following Eric Raymond's adage, “Given enough eyeballs, all bugs are shallow" [1], 
key promises of open source software (OSS) have been transparency, task self- 
selection, and peer-review [2]. In times of increasing economic, social, and political 
challenges in cyberspace, securing full access to software code has become a 
critical aspect of digital sovereignty [3]. Organizations face numerous dangers using 
software they do not control, such as forced technology obsolescence, product 
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discontinuity, and cybersecurity risks. For organizations with short business cycles, 
such risks are limited compared to the opportunity to use somewhat highly efficient 
closed-source solutions. However, for critical infrastructures built over decades or 
more, the risk of not having control over software or hardware code is serious. 
For instance, the European Organization for Nuclear Research (CERN) has been 
at the forefront of open-source software and open hardware strategy developments 
precisely because their research infrastructures take more time to build and operate 
than the expected lifespan of most technology providers [4]. 

OSS development, as a community of collective action [5], carries numerous 
benefits associated with the power of collective intelligence [6, 7]. Those benefits are 
highly desirable in many cyber-security applications (e.g., hunting vulnerabilities 
through bug bounty programs) [8]. Moreover, given its short reaction overhead, 
collective action appears to be a rational response to increasingly time-critical 
cybersecurity challenges [9]. 

With an increasing need for transparency and the pressure to ensure continuously 
reliable systems, OSS for cybersecurity is expected to keep developing as a 
complement and an alternative to closed source. 


40.3 GitHub: A Social Coding Paradigm in Software and 
Hardware Development 


GitHub was established in 2008 [10] as a social coding platform based on git 
technology, a distributed software version control system initiated by Linus Torvalds 
to efficiently track changes in software source code in the decentralized setting 
compatible with Linux Kernel development [11]. Nowadays, GitHub has become 
the primary online platform for collaborative OSS development. Here, we studied 
GitHub repositories associated with data protection and encryption. We found that 
the number of created repositories increases exponentially (c.f., Fig. 40.1). 

The exponential growth of the repository creation rate is expected for data 
protection and encryption, given that it is a relatively new GitHub platform. In 
addition, as more OSS code accumulates, the marginal cost of repository creation 
decreases. Indeed, previous software artifacts can be reused as a complex adaptive 
network of package dependencies [12], git forks, or simply through code copy-paste. 


! We investigated 9003 GitHub repositories created since 2008 relating to the 41 data protection 
and encryption technologies. We collected descriptive data for each repository (description, 
keywords, README.md) and creation date. 
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Fig. 40.1 (upper panel) Evolution of repository creations with a color-coded continuous measure 
of inflection. Repository creation is best fitted by an exponential model (blue curve) with rate 
k = 1/t = 0.88 (p « 0.001 and R? — 0.88). (lower panel) inflection score captures the velocity 
(i.e., the derivative) of repository creations 


40.4 Clustering the Complexity of OSS Cybersecurity 
Ecosystems 


When considering OSS ecosystems in data protection and encryption, a significant 
challenge is to make sense of a complex landscape of repositories covering over- 
lapping topics. Indeed, frameworks used or developed in GitHub repositories are 
likely to cover several technologies, some more pervasive than others. Figure 40.2 
shows how technologies, as queried on GitHub search engine, intersect with clusters 
of repositories build using non-supervised machine learning on (1) repository 
descriptions, (2) keywords, and (3) README files.* Some technology categories 
robustly match specific clusters (e.g., digital signatures, symmetric cryptography, 
blockchain, Web3), while others spread across several clusters (e.g., 0,1,2) thus 
being less specific. 


? Text was processed for term frequency-inverse document frequency (tf-idf) word embedding and 
reduced into a 2D Uniform Manifold Approximation and Projection for Dimension Reduction 
(UMAP). Communities were detected using Louvain clustering. 
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40.5 Outlook Towards 2025 


Monitoring OSS repositories for data protection and encryption technologies is like 
investigating a hidden giant finally emerging to the light of day: the number of 
repositories being created has been growing exponentially until now. Some became 
successful commercial products (e.g., Threema in Switzerland), others became 
central components of Web security architectures (e.g., OpenSSL), while many 
are still addressing niche needs. Notably, some of these niches will eventually turn 
mainstream. Therefore, detecting and monitoring current and future repositories that 
count, respectively will count, for cybersecurity is critical to identify and harness 
development opportunities for data protection and encryption technologies, digital 
sovereignty, and sound business. 

Combining long-term exponential growth rates, inflection dynamics, and growth 
density for each data protection and encryption category, we forecasted their 
development until 2025. Figure 40.3 shows that forecast until 2025, combined with 
their historic growth dynamics.? 


40.5.1 Consequences for Switzerland 


Improving OSS monitoring for data protection and encryption is critical for Switzer- 
land. As a small country with limited ability to see domestic tech giants emerge and 
yet a reputation of safety and reliability, Switzerland's researchers and entrepreneurs 
have an edge in leveraging OSS ecosystems. One example is Threema, which 
has built an authoritative secure messaging OSS app. In addition, having full 
access to software code is crucial for the accountability of solutions provided by 
the industry and hence, for the cybersecurity of critical infrastructures. Finally, 
understanding and forecasting future trends in OSS cybersecurity ecosystems is key 
to assessing and anticipating the evolution of critical data protection and encryption 
technologies. 


3 Specifically, we fitted and cross-penalized three TES models over creation date dynamics: density 
kernel, exponential cumulative distribution, and inflection score. 
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Chapter 41 A 
Conclusion EEN 


Valentin Mulder 


41.1 Summary 


The qualitative analysis performed in Chap. 39 has found that the technologies in the 
field are either ready for use or will be ready soon, with no signs of being outdated. 
The specialist also highlights the tremendous academic research opportunities in 
Switzerland and the attractive economic prospects in this sector. On the other hand, 
a quantitative analysis, which analyzed research through various metrics such as 
publications, public attention, Wikipedia page views, open source software, and 
GitHub repositories, supports the findings of the qualitative analysis, with only some 
minor differences observed. 


41.2 Limitation 


The limitations of this study include the static nature of the information presented, 
as the data and research used are limited to the time of conducting this research. 
Therefore the results may not accurately reflect any changes or developments 
in the field since it was completed. The challenges faced when defining and 
accurately categorizing the data protection and encryption technologies discussed 
were numerous. Finally, the field is constantly evolving, and new technologies may 
emerge that require to be adequately addressed in the study. 

These limits should be considered when interpreting the results and conclusions 
investigated in this study. It is important to note that the projections and predictions 
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are based on the most relevant and available information. However, they may not 
necessarily reflect the actual outcomes. The analysis and conclusions presented 
are subject to change as the domain continues to evolve and new technologies are 
explored and developed. In summary, this book delivered a snapshot of the current 
state of data protection and encryption technologies in 2022, but it needs to be more 
exhaustive and definitive. 


41.3 Outlook 


Conducting research and gathering more data will enhance the accuracy and 
relevance of the findings. 

It is also important to reevaluate the findings in 2025. The world of data protec- 
tion and encryption technologies is constantly evolving, and new technologies and 
developments may need to be adequately addressed. In addition, this reevaluation 
will provide an opportunity to assess the accuracy of the predictions and projections. 
This better understanding of these technologies will make updating or correcting the 
final results necessary. 

This study provides an expansive overview of data protection and encryption 
technologies. There is still a lot to be discovered and understood. Therefore, the 
following steps are future reevaluations of the results to provide a more complete 
and accurate panorama of the trends and developments in data protection and 
encryption technologies. 
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